Bugzilla – Bug 467437
openssl in openSuSE 11.1 does create wrong PKCS12 files
Last modified: 2011-01-27 16:33:58 UTC
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.5) Gecko/2008121300 SUSE/3.0.5-1.1 Firefox/3.0.5 Creating a PKCS12 file with OpenSSL from openSuSE 11.1 gives the following error message when importing under Windows: ENGLISH error message: The private key that you are importing might require a cryptographic service provider that is not installed on your system. GERMAN error message: Ein interner Fehler ist aufgetreten. Der private Schlüssel, den Sie importieren, erfordert möglicherweise einen Dienstanbieter, der nicht installiert ist. I'm using OpenSSL (from openSuSE11.1) in the following way to create PKCS12 file for import by Windows users: Reproducible: Always Steps to Reproduce: I call openssl the following way to create the PKCS12 file: openssl pkcs12 -export -passin file:passwordfile \ -passout file:passwordfile -inkey private/hostKey.pem \ -in certs/hostCert.pem -name "Certificat for Host" \ -certfile certs/ca-certificate.pem -caname "Root CA" \ -out host.p12 Actual Results: On Windows one needs to double-click the file, enter the password and just click next till the error shows up. Expected Results: It should work without an error message Extracting the know good version from the previously installed SuSE 10.2 and calling openssl the following way (all files of the original RPM where extracted into on subdirectory): LD_LIBRARY_PATH=~/openssl-from-SuSE-10.2/ ~/openssl-from-SuSE-10.2/openssl ... the created PKCS12 just works.
Created attachment 266073 [details] Screenshot of Windows error message (GERMAN)
Compiling openssl-0.9.8j from source creates an openssl binary that also works.
can you attach a sample good and a sample bad certificate?
STEPS TO REPRODUCE: (all files contained in attachment bugreport-467437.tar.gz) # echo 01 > serial # rm -f index.txt # touch index.txt # cat ca-password s7pks.fw s7pks.fw # cat user-password 1w551sn8 1w551sn8 # openssl req -config ./openssl.cnf -passout file:ca-password -x509 \ -newkey rsa:2048 -days 3660 -keyout ca-private-key.pem -out ca-certificate.pem # openssl req -config ./openssl.cnf -passout file:user-password \ -newkey rsa:2048 -keyout user-private-key.pem -out user-request.pem # openssl ca -config ./openssl.cnf -in user-request.pem \ -passin file:ca-password -out user-certificate.pem -notext -days 730 # #---- CREATE FAULTY PKCS12 FILE ----# # openssl pkcs12 -export -passin file:user-password \ -passout file:user-password -inkey user-private-key.pem \ -in user-certificate.pem -name "Certificate for TEST-User" \ -certfile ca-certificate.pem -caname "Root Certificate" -out user.p12 # #---- CREATE CORRECT PKCS12 FILE ----# # wget http://www.openssl.org/source/openssl-0.9.8j.tar.gz{,.md5} # tar xf openssl-0.9.8j.tar.gz # cd openssl-0.9.8j # ./config # make # make test # cd .. # openssl-0.9.8j/apps/openssl pkcs12 -export -passin file:user-password \ -passout file:user-password -inkey user-private-key.pem \ -in user-certificate.pem -name "Certificate for TEST-User" \ -certfile ca-certificate.pem -caname "Root Certificate" -out user2.p12 # #---- TESTING ----# Then copy both files to a Windows machine, double click on each file, enter the password and always click "Next", "Yes" or "Finish". With "user.p12" Windows will complain while it will import "user2.p12" without problems.
Created attachment 266084 [details] bugreport-467437.tar.gz
Just confirming this is a problem for me too, it appears to be a bug in libcrypto.so, affecting the command "openssl pkcs12 0.9.8g is fine. 0.9.8h is buggy. 0.9.8k is fine. Interestingly, in my case, the .p12 file generated by 0.9.8h is two bytes longer than the other versions. -----Nick
Just confirming this is a problem for me too, I will confirm the submitted patches.
if don't apply func-parm-err.patch, to create the pkcs2 file,openssl will crash(this issuse maybe introduced from the version update) if with this patch applied,it does not crash,but the pkcs file seems buggy.
The SWAMPID for this issue is 30095. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/30095)
If fix it in package openssl-0.9.8h,there is two much code to update. Is it feasable to update the openssl package from 0.9.8h to version 0.9.8k?
the general policy is to avoid version updates.
yes,it works. so we use this patch,not upstream's patch.
I will check the upstream,and find out a patch completly compatible with upstream.
use patch from comment#16,and delete bug#430141 's patch,it's the least change,fix both bug#430141 and bug#467437. will be submitted soon.
sumitted to sle11 and 11.1.
Update released for: libopenssl-devel, libopenssl0_9_8, openssl, openssl-debuginfo, openssl-debugsource, openssl-doc Products: openSUSE 11.1 (debug, i586, ppc, ppc64, x86_64)
released for 11.1
looks like your sle11 submission got lost :-( The currently submitted package for sle11 lacks this fix. Also, could you include the fix for sle11sp1?
ok,will be submitted.
submitted to sle11 and sle11sp1.
submitted to 11.1. this issuse does not affect 11.0 and sle10. thanks.
fixed,please confirm and close it.
fixed long ago, close it.