Bug#503833: libgnutls26: doesn't handle firefox-exported .p12 certs
dann frazier
dannf at debian.org
Tue Oct 28 14:56:09 UTC 2008
Package: libgnutls26
Version: 2.4.2-1
Severity: normal
I'm a novice when it comes to dealing with certificates, so don't
hestitate to let me know if this bug is missing some important
information.
There's a long-open bug reported against subversion, #480041. This
appears to have surfaced when subversion began using libneon26-gnutls
instead of openssl for PKCS12 certs.
I took a shot at debugging this, and it looks like the problem first arises
when libgnutls calls into libtasn1-3 to decode the ASN.1-encoded
PKCS12 file.
asn1_der_decoding() eventually bails out, causing an error to be
propagated up the stack.
troyh and I think we've found a way to simplify the demonstration of
this problem outside of subversion by using certtool:
1) Follow the instructions for creating a pkcs12 cert that google
found for me on this page:
http://hausheer.osola.com/docs/9
2) Run:
$ certtool --p12-info --infile /tmp/client.p12 --inraw
(To demonstrate that we can process this cert)
3) Imported the cert into iceweasel (aka firefox)
4) Use the "backup" feature in iceweasel to dump the cert back out to
another .p12 file
5) Run:
$ certtool --p12-info --infile /tmp/backup.p12 --inraw
This time, we see an error:
date size is 1822
certtool: p12_import: ASN1 parser: Error in TAG.
Obviously, this doesn't prove that this is a bug in gnutls. It could
very well be that firefox is exporting a bad cert. However, openssl
seems to handle the firefox-exported certs just fine, as seen in:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480041#130
That suggests to me that this bug likely lies either in gnutls or
libtasn.
I'm filing a new bug instead of reassigning the subversion one because
subversion could theoretically fix the problem by reverting back to
openssl.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: ia64
Kernel: Linux 2.6.26-1-mckinley (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages libgnutls26 depends on:
ii libc6.1 2.7-15 GNU C Library: Shared libraries
ii libgcrypt11 1.4.1-1 LGPL Crypto library - runtime libr
ii libgpg-error0 1.4-2 library for common error values an
ii libtasn1-3 1.5-1 Manage ASN.1 structures (runtime)
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
libgnutls26 recommends no packages.
Versions of packages libgnutls26 suggests:
ii gnutls-bin 2.4.2-1 the GNU TLS library - commandline
-- no debconf information
More information about the Pkg-gnutls-maint
mailing list