Bug#522281: certtool does not ask for a key's passphrase if it is using a template

[Simon Josefsson]

severity 522281 wishlist
thanks

Matthew King <matthew.king at monnsta.net> writes:

> Package: gnutls-bin
> Version: 2.4.2-6+lenny1
>
> If you attempt to use a pkcs8 private key with a template file, and that
> template file does not specify the passphrase, certtool exits with an
> error:
>
> certtool: importing --load-privkey: ca-key.pem: Decryption has failed.
>
> I am not sure which is worse - putting the passphrase in the template
> file or asking questions in batch mode, but the patch to allow the
> latter is simple:
>
> --- src/certtool-cfg.c~ 2008-09-15 21:04:19.000000000 +0100
> +++ src/certtool-cfg.c  2009-04-02 11:40:57.000000000 +0100
> @@ -301,7 +301,7 @@
>  const char *
>  get_pass (void)
>  {
> -  if (batch)
> +  if (batch && !(cfg.password == NULL || *cfg.password == '\0'))
>      return cfg.password;
>    else
>      return getpass ("Enter password: ");

Thanks for the report, and sorry for long delay in responding.

I believe an error message in this situation is reasonable: the reason
for the template mode is to avoid interactive questions.  It would be
wrong to ask questions for missing data in a template.

Specifying a password in a template file is a security concern, but
other files on Unix systems contains passwords and private keys so it is
a well understood problem.  It is possible to protect these files using
a restricted file mode.

> Possibly the if clause could be extended so that an option can be added
> to specify that the batch process really is non-interactive (or,
> alternatively, that the batch process can be interrupted to ask for the
> passphrase if necessary).

I think that would be complex, but I don't rule it out completely.

I'm changing the severity of this bug to wishlist, for future pondering
whether something like that can be implemented.

/Simon