Page MenuHome GnuPG
Create Task
Maniphest T6752

New minip12 does not import from Firefox anymore
Closed, ResolvedPublic
Actions

Description

Trying to import the attached file to gpgsm v2.4.3 fails.

gpgsm --debug x509 --import ov-user-ff.p12
...
gpgsm: DBG: p12_parse(tlv_next): ti.class=0 tag=16 len=0 nhdr=2  cons ndef
gpgsm: p12_parse(pfxVersion): offset 1.0 (tlv_next): Erfolg - Erfolg
...

The tlv_next before tlv_expect_integer returns 03003FFF (GPG_ERR_EOF, I guess?).
https://dev.gnupg.org/source/gnupg/browse/master/sm/minip12.c;gnupg-2.4.3$2379

Further down, parse_ber_header gets called with length = 0.
https://dev.gnupg.org/source/gnupg/browse/master/common/tlv.c$173

Could it be a problem with ASN.1 sequences of indefinite length that FF uses? Apparently tlv->ndef is set correctly, but a check (between those two lines?) may be missing.

Background:
The attached file is ov-user.p12 from the test suite, which has gone through Firefox (Settings > Security > Certificates... > Import... (pw: start), then Save...).

ov-user-ff.p122 KBDownload

Details

Version
gpgsm (GnuPG) 2.4.3, libgcrypt 1.10.2, libksba 1.6.4

Revisions and Commits

rG GnuPG
rG7661d2fbc6eb sm: Another partly rewrite of minip12.c
rG08f0b9ea2e95 sm: Another partly rewrite of minip12.c
rG5601f5db9862 gpgsm: Improvements for NDEF in the pkcs#12 parser

Related Objects
Search...

Event Timeline

wenzehan created this task.Oct 9 2023, 12:45 AM
werner triaged this task as Normal priority.Oct 10 2023, 9:37 AM
werner added projects: gnupg24, S/MIME.
werner claimed this task.Oct 10 2023, 10:06 AM
werner added a comment.Oct 10 2023, 11:13 AM

Yes, there is clearly a problem with the handling of NDEF. I have a fix for that but there are other oddities in that pkcs12 object. Do you have the Firefox version you used to create this?

werner mentioned this in rG5601f5db9862: gpgsm: Improvements for NDEF in the pkcs#12 parser.Oct 10 2023, 11:42 AM
werner added a commit: rG5601f5db9862: gpgsm: Improvements for NDEF in the pkcs#12 parser.
wenzehan added a comment.Oct 10 2023, 1:22 PM

115.3.1esr

werner mentioned this in T6757: gpgsm 2.4 Fails to import P12 certificate/key.Oct 16 2023, 1:22 PM
werner added a subtask: T6757: gpgsm 2.4 Fails to import P12 certificate/key.
lecris added a subscriber: lecris.Oct 16 2023, 2:19 PM
werner added a commit: rG08f0b9ea2e95: sm: Another partly rewrite of minip12.c.Oct 24 2023, 9:29 AM
werner added a commit: rG7661d2fbc6eb: sm: Another partly rewrite of minip12.c.Oct 24 2023, 9:33 AM
werner changed the task status from Open to Testing.Oct 24 2023, 2:16 PM
werner mentioned this in T6536: Extend P12 parser for ShroudedKeyBag inside a CertBag.
werner moved this task from Backlog to QA on the gnupg24 board.
zablockil mentioned this in T6940: gpgsm: .p12 AES-256-CBC support.Jan 15 2024, 6:43 PM
werner closed subtask T6757: gpgsm 2.4 Fails to import P12 certificate/key as Resolved.Jan 24 2024, 11:36 AM
werner closed this task as Resolved.Jan 24 2024, 11:40 AM

The test file is now part of our test suite and passes.

werner moved this task from QA to gnupg-2.4.4 on the gnupg24 board.Jan 24 2024, 11:40 AM
werner edited projects, added gnupg24 (gnupg-2.4.4); removed gnupg24.
lecris reopened subtask T6757: gpgsm 2.4 Fails to import P12 certificate/key as Open.Jan 30 2024, 9:17 AM
werner closed subtask T6757: gpgsm 2.4 Fails to import P12 certificate/key as Resolved.Jun 6 2024, 12:05 PM
aheinecke mentioned this in T7213: PKCS #12 import fails on broken P12 files which MS accepts.Jul 23 2024, 9:13 AM