Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS12 Legacy export fails on Debian 12 #899

Open
oliwel opened this issue Nov 15, 2023 · 2 comments
Open

PKCS12 Legacy export fails on Debian 12 #899

oliwel opened this issue Nov 15, 2023 · 2 comments
Assignees
@oliwel
Labels
bug regression
Milestone
3.30

Comments

@oliwel
Copy link
Contributor

oliwel commented Nov 15, 2023

Exporting a PKCS12 in "Legacy" format fails on Debian 12, very likely due to the default security policy not allowing the old algorithms:

OpenSSL error: Error creating PKCS12 structure for /var/tmp/openxpki110659HbJVu6ct
40873699117F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
40873699117F0000:error:11800067:PKCS12 routines:PKCS12_item_i2d_encrypt_ex:encrypt error:../crypto/pkcs12/p12_decr.c:193:
40873699117F0000:error:11800067:PKCS12 routines:PKCS12_pack_p7encdata_ex:encrypt error:../crypto/pkcs12/p12_add.c:127:
openssl pkcs12 -export -inkey /var/tmp/openxpki110659tY0t6PGI -in /var/tmp/openxpki1106594ASCfDsV -out /var/tmp/openxpki110659HbJVu6ct -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-RC2-40 -certfile /var/tmp/openxpki110659_FuZFsKz -passin env:pwd -passout env:p12pwd, __EXIT_STATUS__ => 256
@oliwel oliwel self-assigned this Nov 15, 2023
@oliwel oliwel added this to the 3.28 milestone Nov 15, 2023
@oliwel
Copy link
Contributor Author

oliwel commented Nov 20, 2023

Requires the -legacy parameter in the OpenSSL call

oliwel added a commit that referenced this issue Nov 20, 2023
@oliwel
Add legacy flag to OpenSSL command to fix PKCS12 export, #899
495cdcc 
Without the legacy flag  the PBE-SHA1-RC2-40 is not available on OpenSSL 3.0
@oliwel oliwel closed this as completed Dec 5, 2023
@oliwel oliwel reopened this Dec 14, 2023
@oliwel
Copy link
Contributor Author

oliwel commented Dec 14, 2023

As OpenSSL <3.0 is not willing to perform when this flag is set, we need a solution that can support old and new openssl versions without adding to much magic dust :(

@oliwel oliwel modified the milestones: 3.28, 3.30 Dec 14, 2023
oliwel added a commit that referenced this issue May 29, 2024
@oliwel
Add variant for PKCS12 Legacy for OpenSSL 1.x, #899
5198560 
Fixes the regression bug for the PKCS12 legacy export option
If you run openssl 1.x and want to use the fixed algorithms
of the legacy option, you must pass PKCS12_LEGACY_NOFLAG.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oliwel oliwel

Labels
bug regression
Projects
None yet
Milestone
3.30
Development

No branches or pull requests
1 participant
@oliwel