[gnutls-dev] [gnutls-cvs PATCH] Fix handling of PKCS#12 and contents without apassphrase

Anton Altaparmakov aia21 at cam.ac.uk
Tue Sep 27 16:44:42 CEST 2005 

Hi Nikos,

On Tue, 2005-09-27 at 16:05 +0200, Nikos Mavrogiannopoulos wrote:
> On Tuesday 27 September 2005 11:34, Anton Altaparmakov wrote:
> > Hi,
> > Gnutls has bugs when handling PKCS#12 files and their contents when
> > they do not have a passphrase.
> > OpenSSL's "openssl pkcs12" utility worked fine to load and dump those
> > PKCS#12 files which made me look into the gnutls source code and I managed
> > to find out what was going on after a log of debugging.  For example
> > gnutls didn't allow a 0 MPI which is perfectly valid.  Also it had no
> > concept of empty passwords (it assumed password = NULL means not encrypted
> > which is wrong) and finally it did not understand the difference between
> > password = NULL and password = "".
> > The below patch fixes all the above problems.  It is against the current
> > gnutls cvs (generated using "cvs diff").  Please apply.
> 
> Hello Anton,
>  Thank you for the patch. I've changed some things since some parts of gnutls 
> rely on this property of mpi_scan(). If the attached patch works for you I'll 
> apply it to the cvs.

Thanks for the quick response!

You missed a chunk of my patch in yours so your patch as it is does not
work.  But if you add the missing chunk it works fine.  (-:

Here is the missing chunk:

Index: lib/x509/privkey_pkcs8.c
===================================================================
RCS file: /cvs/gnutls/gnutls/lib/x509/privkey_pkcs8.c,v
retrieving revision 1.49
diff -u -p -r1.49 privkey_pkcs8.c
--- lib/x509/privkey_pkcs8.c	30 Aug 2005 10:46:08 -0000	1.49
+++ lib/x509/privkey_pkcs8.c	27 Sep 2005 09:03:56 -0000
@@ -810,7 +810,7 @@ int decode_private_key_info(const gnutls
   * @data: The DER or PEM encoded key.
   * @format: One of DER or PEM
   * @password: the password to decrypt the key (if it is encrypted).
-  * @flags: use 0.
+  * @flags: 0 if encrypted or GNUTLS_PKCS_PLAIN if not encrypted.
   *
   * This function will convert the given DER or PEM encoded PKCS8 2.0 encrypted key
   * to the native gnutls_x509_privkey_t format. The output will be stored in @key.
@@ -880,7 +880,7 @@ int gnutls_x509_privkey_import_pkcs8(gnu
 	need_free = 1;
     }
 
-    if (flags & GNUTLS_PKCS_PLAIN || password == NULL) {
+    if (flags & GNUTLS_PKCS_PLAIN) {
 	result = decode_private_key_info(&_data, key, &key->key);
     } else {			/* encrypted. */
 	result = decode_pkcs8_key(&_data, password, key, &key->key);

Best regards,

        Anton
-- 
Anton Altaparmakov <aia21 at cam.ac.uk> (replace at with @)
Unix Support, Computing Service, University of Cambridge, CB2 3QH, UK
Linux NTFS maintainer / IRC: #ntfs on irc.freenode.net
WWW: http://linux-ntfs.sf.net/ & http://www-stu.christs.cam.ac.uk/~aia21/

More information about the Gnutls-devel mailing list