Open Bug 1693706 Opened 5 years ago Updated 2 years ago

pk12util cannot import or list PEM-encoded PKCS#12 files

Categories

(NSS :: Tools, enhancement, P5)

Product:
NSS
Component:
Tools
Version:
3.61
Type:
enhancement

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: dkg, Unassigned)

Details

(Whiteboard: [nss-nofx])

Attachments

(1 file)

PEM-encoded PKCS#12 file containing two secret keys and three certificates
8.07 KB, application/x-pkcs12
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0

Steps to reproduce:

I tried to list the contents of a PEM-encoded PKCS#12 object with pk12util. I'm using the "Alice" PKCS#12 object found in https://www.ietf.org/archive/id/draft-dkg-lamps-samples-05.html#name-pkcs12-object-for-alice (also attached here).

here's what i did:

pk12util -W alice -l alice.p12

Actual results:

pk12util: PKCS12 decoding failed: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
pk12util: PKCS12 decoding failed: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
pk12util: PKCS12 decode iterate bags failed: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.

Expected results:

it should have either detected that it was PEM-encoded (the "-----BEGIN PKCS12-----" header is a simple clue) and listed it anyway (e.g. by converting it to DER internally); or pk12util should have a flag like the "-a" flag for certutil (meaning something like "the input PKCS12 object is PEM-encoded ASCII").

This is similar to the thunderbird issue #1693704 -- it's possible that both of these bugs could be fixed in the underlying library code.

Note that i can list the certificate just fine if i translate the PKCS#12 bundle to DER-encoded form first. The following two steps work fine:

grep -v ^- < alice.p12 | base64 -d >alice.p12.bin
pk12util -W alice -l alice.p12.bin

I've marked this issue as an enhancement (even though the Thunderbird issue is a defect) because i think the error messages here are clearer than Thunderbird's error messages (they at least mention the expectation of DER-encoding), and because pk12util is a power user tool so it's arguably less of a bug when it is less user-friendly.

Severity: -- → S4
Priority: -- → P5
Whiteboard: [nss-nofx]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: