Page MenuHome GnuPG
Create Task
Maniphest T7213

PKCS #12 import fails on broken P12 files which MS accepts
Closed, ResolvedPublic
Actions

Description

This is a ticket for the report regarding PKCS#12 import we received on the 11th july by mail.

According to gniibe:

The issues here are:

  • By new gpgsm/mini12.c, enclosed PKCS#7 data in PKCS#12 is not (yet) correctly handled (while older mini12.c apparently did that).
  • Related function and data are common/tlv-parser.c:cram_octet_string and tlv->bufferlist, but tlv->bufferlist is not (yet) used in the code.

Addionally according to the customer the old import / export Workaround with Firefox also does not work in this case. T6752: New minip12 does not import from Firefox anymore might be related?

Revisions and Commits

rG GnuPG
rG0dcd1504babb sm: More improvements for PKCS#12 parsing for latest IVBB changes.
rG3a28da61ae49 sm: More improvements for PKCS#12 parsing for latest IVBB changes.
rG690fd61a0cf2 sm: More improvements for PKCS#12 parsing for latest IVBB changes.

Related Objects

Event Timeline

aheinecke triaged this task as High priority.Jul 23 2024, 9:13 AM
aheinecke created this task.
werner added a subscriber: werner.Jul 23 2024, 1:24 PM

The data looks garbled:

 0 NDEF: SEQUENCE {
 2    1:   INTEGER 3
 5 NDEF:   SEQUENCE {
 7    9:     OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
18 NDEF:     [0] {
20 NDEF:       OCTET STRING {
22 1000:         OCTET STRING, encapsulates {
26 NDEF:           SEQUENCE {
28 NDEF:             SEQUENCE {
30    9:               OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
41 NDEF:               [0] {
43 NDEF:                 OCTET STRING {
45 1000:                   OCTET STRING
       :                     30 82 07 A4 30 82 07 A0 06 0B 2A 86 48 86 F7 0D

The octet string at offset 45 has a length of 1000 but it is included in a container of length 1000 at offset 22. That does not work.

werner renamed this task from PKCS #12 import fails with enclosed PKCS#7 data inside to PKCS #12 import fails on broken P12 files which MS accepts.Jul 23 2024, 2:22 PM
werner edited projects, added gnupg22, Bug Report, S/MIME; removed gnupg22 (gnupg-2.2.44).Jul 25 2024, 10:57 AM
aheinecke mentioned this in T7222: pinentry-qt: On PKCS#12 import pinentry shows spaces with pinentry-formatted-passphrase.Jul 26 2024, 9:31 AM
werner added a comment.Jul 31 2024, 3:51 PM

The garbled data might be due to a bug in dumpasn1 (version 2021-02-12).

werner added a comment.Aug 6 2024, 5:53 PM

Alright. Done for master; backport will come soon.

werner added a commit: rG690fd61a0cf2: sm: More improvements for PKCS#12 parsing for latest IVBB changes..Aug 6 2024, 5:54 PM
werner added a commit: rG3a28da61ae49: sm: More improvements for PKCS#12 parsing for latest IVBB changes..Aug 7 2024, 10:31 AM
werner added a commit: rG0dcd1504babb: sm: More improvements for PKCS#12 parsing for latest IVBB changes..Aug 7 2024, 11:23 AM
werner changed the task status from Open to Testing.Aug 7 2024, 11:25 AM
werner moved this task from Backlog to QA on the gnupg22 board.

I don't think that we can do much manual testing here because we have all test cases anyway in the regression test suite and our local non-public regression tests (which has the p12 files we are not allowed to publish)

werner moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Aug 7 2024, 11:26 AM
werner added a comment.Aug 7 2024, 11:38 AM

This patch has a new fix for T5793 which is now only used where needed.

werner mentioned this in T6757: gpgsm 2.4 Fails to import P12 certificate/key.Aug 7 2024, 11:47 AM
ebo closed this task as Resolved.Wed, Aug 14, 12:47 PM
ebo claimed this task.
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ebo added a subscriber: ebo.

Did a quick manual test import and encryption/decryption with VS-Desktop-3.2.93.1-Beta with the relevant test-X509 certificate.
Works as expected.

ebo moved this task from QA to gnupg-2.2.44 on the gnupg22 board.Wed, Aug 14, 12:47 PM
ebo edited projects, added gnupg22 (gnupg-2.2.44); removed gnupg22.
werner mentioned this in T7087: Release GnuPG 2.2.44.Fri, Aug 16, 1:47 PM