Bug 467437

Summary:	openssl in openSuSE 11.1 does create wrong PKCS12 files
Product:	[openSUSE] openSUSE 11.1	Reporter:	Friedrich Lobenstock <fl>
Component:	Security	Assignee:	Guan Jun He <gjhe>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P3 - Medium	CC:	fl, lnussel, nick, security-team
Version:	Final
Target Milestone:	---
Hardware:	i686
OS:	openSUSE 11.1
Whiteboard:	maint:running:30095 maint:released:11.1:30343
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	Screenshot of Windows error message (GERMAN) bugreport-467437.tar.gz

Description Friedrich Lobenstock 2009-01-19 21:00:32 UTC

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.5) Gecko/2008121300 SUSE/3.0.5-1.1 Firefox/3.0.5

Creating a PKCS12 file with OpenSSL from openSuSE 11.1 gives the following 
error message when importing under Windows:

ENGLISH error message:
  The private key that you are importing might require a cryptographic 
  service provider that is not installed on your system. 

GERMAN error message:
  Ein interner Fehler ist aufgetreten. Der private Schlüssel, den Sie
  importieren, erfordert möglicherweise einen Dienstanbieter, der nicht
  installiert ist. 

I'm using OpenSSL (from openSuSE11.1) in the following way to create PKCS12
file for import by Windows users:


Reproducible: Always

Steps to Reproduce:
I call openssl the following way to create the PKCS12 file:

  openssl pkcs12 -export -passin file:passwordfile \
  -passout file:passwordfile -inkey private/hostKey.pem \
  -in certs/hostCert.pem -name "Certificat for Host" \
  -certfile certs/ca-certificate.pem -caname "Root CA" \
  -out host.p12


Actual Results:  
On Windows one needs to double-click the file, enter the password 
and just click next till the error shows up.

Expected Results:  
It should work without an error message

Extracting the know good version from the previously installed SuSE 10.2
and calling openssl the following way (all files of the original RPM where
extracted into on subdirectory):

LD_LIBRARY_PATH=~/openssl-from-SuSE-10.2/ ~/openssl-from-SuSE-10.2/openssl ...

the created PKCS12 just works.

Comment 1 Friedrich Lobenstock 2009-01-19 21:04:59 UTC

Created attachment 266073 [details]
Screenshot of Windows error message (GERMAN)

Comment 2 Friedrich Lobenstock 2009-01-19 21:42:00 UTC

Compiling openssl-0.9.8j from source creates an openssl binary that also works.

Comment 3 Marcus Meissner 2009-01-19 22:37:28 UTC

can you attach a sample good and a sample bad certificate?

Comment 4 Friedrich Lobenstock 2009-01-19 23:26:21 UTC

STEPS TO REPRODUCE: (all files contained in attachment bugreport-467437.tar.gz) 

# echo 01 > serial
# rm -f index.txt
# touch index.txt
# cat ca-password
s7pks.fw
s7pks.fw
# cat user-password
1w551sn8
1w551sn8
# openssl req -config ./openssl.cnf -passout file:ca-password -x509 \
   -newkey rsa:2048 -days 3660 -keyout ca-private-key.pem -out ca-certificate.pem
# openssl req -config ./openssl.cnf -passout file:user-password \
   -newkey rsa:2048 -keyout user-private-key.pem -out user-request.pem
# openssl ca -config ./openssl.cnf -in  user-request.pem \
   -passin file:ca-password -out user-certificate.pem -notext -days 730

# #---- CREATE FAULTY PKCS12 FILE ----#

# openssl pkcs12 -export -passin file:user-password \
   -passout file:user-password -inkey user-private-key.pem \
   -in user-certificate.pem -name "Certificate for TEST-User" \
   -certfile ca-certificate.pem -caname "Root Certificate" -out user.p12

# #---- CREATE CORRECT PKCS12 FILE ----#

# wget http://www.openssl.org/source/openssl-0.9.8j.tar.gz{,.md5}
# tar xf openssl-0.9.8j.tar.gz
# cd openssl-0.9.8j
# ./config
# make
# make test
# cd ..
# openssl-0.9.8j/apps/openssl pkcs12 -export -passin file:user-password \
   -passout file:user-password -inkey user-private-key.pem \
   -in user-certificate.pem -name "Certificate for TEST-User" \
   -certfile ca-certificate.pem -caname "Root Certificate" -out user2.p12

# #---- TESTING ----#

Then copy both files to a Windows machine, double click on each file, 
enter the password and always click "Next", "Yes" or "Finish". 

With "user.p12" Windows will complain while it will import "user2.p12" 
without problems.

Comment 5 Friedrich Lobenstock 2009-01-19 23:27:32 UTC

Created attachment 266084 [details]
bugreport-467437.tar.gz

Comment 6 Nick Moore 2009-04-23 07:08:06 UTC

Just confirming this is a problem for me too, it appears to be a bug in libcrypto.so, affecting the command "openssl pkcs12 

0.9.8g is fine.
0.9.8h is buggy.
0.9.8k is fine.

Interestingly, in my case, the .p12 file generated by 0.9.8h is two bytes longer than the other versions.

-----Nick

Comment 8 Guan Jun He 2009-06-15 09:11:07 UTC

Just confirming this is a problem for me too, I will confirm the submitted patches.

Comment 9 Guan Jun He 2009-06-16 08:06:52 UTC

if don't apply func-parm-err.patch, to create the pkcs2 file,openssl will crash(this issuse maybe introduced from the version update)
if with this patch applied,it does not crash,but the pkcs file seems buggy.

Comment 10 Guan Jun He 2009-06-16 08:08:57 UTC

if don't apply func-parm-err.patch, to create the pkcs2 file,openssl will
crash(this issuse maybe introduced from the version update)
if with this patch applied,it does not crash,but the pkcs file seems buggy.

Comment 13 Swamp Workflow Management 2010-01-12 09:23:42 UTC

The SWAMPID for this issue is 30095.
Please submit the patch and patchinfo file using this ID.
(https://swamp.suse.de/webswamp/wf/30095)

Comment 14 Guan Jun He 2010-01-19 08:57:53 UTC

If fix it in package openssl-0.9.8h,there is two much code to update.
Is it feasable to update the openssl package from 0.9.8h to version 0.9.8k?

Comment 15 Ludwig Nussel 2010-01-19 09:11:34 UTC

the general policy is to avoid version updates.

Comment 17 Guan Jun He 2010-01-19 11:08:45 UTC

yes,it works.
so we use this patch,not upstream's patch.

Comment 22 Guan Jun He 2010-01-20 04:24:46 UTC

I will check the upstream,and find out a patch completly compatible with upstream.

Comment 23 Guan Jun He 2010-01-20 05:09:05 UTC

use patch from comment#16,and delete  bug#430141 's patch,it's the least change,fix both  bug#430141 and bug#467437.
will be submitted soon.

Comment 24 Guan Jun He 2010-01-20 06:05:25 UTC

sumitted to sle11 and 11.1.

Comment 26 Swamp Workflow Management 2010-01-22 13:23:05 UTC

Update released for: libopenssl-devel, libopenssl0_9_8, openssl, openssl-debuginfo, openssl-debugsource, openssl-doc
Products:
openSUSE 11.1 (debug, i586, ppc, ppc64, x86_64)

Comment 27 Ludwig Nussel 2010-01-22 14:03:06 UTC

released for 11.1

Comment 28 Ludwig Nussel 2010-03-08 08:57:30 UTC

looks like your sle11 submission got lost :-( The currently submitted package for sle11 lacks this fix. Also, could you include the fix for sle11sp1?

Comment 29 Guan Jun He 2010-03-09 08:56:04 UTC

ok,will be submitted.

Comment 30 Guan Jun He 2010-03-10 03:26:14 UTC

submitted to sle11 and sle11sp1.

Comment 31 Guan Jun He 2010-03-23 06:49:43 UTC

submitted to 11.1.

this issuse does not affect 11.0 and sle10.

thanks.

Comment 32 Guan Jun He 2010-09-25 05:42:03 UTC

fixed,please confirm and close it.

Comment 33 Guan Jun He 2010-09-25 06:13:14 UTC

fixed long ago, close it.