Bug#503833: libgnutls26: doesn't handle firefox-exported .p12 certs

Tue, 28 Oct 2008 08:00:08 -0700 

Package: libgnutls26
Version: 2.4.2-1
Severity: normal

I'm a novice when it comes to dealing with certificates, so don't
hestitate to let me know if this bug is missing some important
information.

There's a long-open bug reported against subversion, #480041. This
appears to have surfaced when subversion began using libneon26-gnutls
instead of openssl for PKCS12 certs.

I took a shot at debugging this, and it looks like the problem first arises
when libgnutls calls into libtasn1-3 to decode the ASN.1-encoded
PKCS12 file.

asn1_der_decoding() eventually bails out, causing an error to be
propagated up the stack.

troyh and I think we've found a way to simplify the demonstration of
this problem outside of subversion by using certtool:

1) Follow the instructions for creating a pkcs12 cert that google
   found for me on this page:
     http://hausheer.osola.com/docs/9
2) Run:
     $ certtool --p12-info --infile /tmp/client.p12  --inraw
   (To demonstrate that we can process this cert)
3) Imported the cert into iceweasel (aka firefox)
4) Use the "backup" feature in iceweasel to dump the cert back out to
   another .p12 file
5) Run:
    $ certtool --p12-info --infile /tmp/backup.p12  --inraw
   This time, we see an error:
     date size is 1822
     certtool: p12_import: ASN1 parser: Error in TAG.

Obviously, this doesn't prove that this is a bug in gnutls. It could
very well be that firefox is exporting a bad cert. However, openssl
seems to handle the firefox-exported certs just fine, as seen in:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480041#130
That suggests to me that this bug likely lies either in gnutls or
libtasn.

I'm filing a new bug instead of reassigning the subversion one because
subversion could theoretically fix the problem by reverting back to
openssl.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: ia64

Kernel: Linux 2.6.26-1-mckinley (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libgnutls26 depends on:
ii  libc6.1                2.7-15            GNU C Library: Shared libraries
ii  libgcrypt11            1.4.1-1           LGPL Crypto library - runtime libr
ii  libgpg-error0          1.4-2             library for common error values an
ii  libtasn1-3             1.5-1             Manage ASN.1 structures (runtime)
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

libgnutls26 recommends no packages.

Versions of packages libgnutls26 suggests:
ii  gnutls-bin                    2.4.2-1    the GNU TLS library - commandline 

-- no debconf information




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to