Unable to validate PKCS #12 files generated by pk12util

[edewata]

JSS can no longer validate PKCS #12 files generated by pk12util since recently pk12util was changed to use SHA-256 hash algorithm by default whereas JSS is still hard-coded to use SHA-1.

Steps to reproduce:

1. Install NSS 3.65 or later
2. Install PKI 10.11 or later
3. Create an NSS database:

$ pki client-init --force

4. Generate a CSR:

$ pki nss-cert-request \
    --subject "CN=Certificate Authority" \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    --csr ca_signing.csr

5. Issue a certificate:

$ pki nss-cert-issue \
    --csr ca_signing.csr \
    --ext /usr/share/pki/server/certs/ca_signing.conf \
    --cert ca_signing.crt

6. Import the certificate:

$ pki nss-cert-import --cert ca_signing.crt --trust CT,C,C ca_signing

7. Export the certificate and key into a PKCS12 file:

$ pk12util -d ~/.dogtag/nssdb -o test.p12 -W Secret.123 -n ca_signing

8. Inspect the content of PKCS12 file:

$ pki --debug pkcs12-cert-find --pkcs12-file test.p12 --pkcs12-password Secret.123
...
java.lang.Exception: Unable to validate PKCS #12 file: Digests do not match
	at org.mozilla.jss.netscape.security.pkcs.PKCS12Util.loadFromByteArray(PKCS12Util.java:839)
	at org.mozilla.jss.netscape.security.pkcs.PKCS12Util.loadFromFile(PKCS12Util.java:825)
	at com.netscape.cmstools.pkcs12.PKCS12CertFindCLI.execute(PKCS12CertFindCLI.java:128)
	at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58)
	at org.dogtagpki.cli.CLI.execute(CLI.java:357)
	at org.dogtagpki.cli.CLI.execute(CLI.java:357)
	at org.dogtagpki.cli.CLI.execute(CLI.java:357)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:656)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:694)
...

Apparently the pk12util hash algorithm was changed in NSS 3.65 but the JSS hash algorithm is hard-coded in MacData class.

Ideally JSS should obtain the hash algorithm from the PKCS #12 file itself for better compatibility with other tools.

IIUC the hash algorithm can be obtained from DigestInfo.digestAlgorithm from the PFX object, but the MacData code above requires three different algorithm IDs:

• KeyGenAlgorithm.PBA_SHA1_HMAC
• HMACAlgorithm.SHA1
• DigestAlgorithm.SHA1

so there needs to be a mechanism to translate the DigestInfo.digestAlgorithm into the three algorithm IDs needed by MacData.

[edewata]

Here's a sample PKCS12 generated by NSS 3.67 on Fedora 33 (please unpack with gunzip):
test.p12.gz

[rjrelyea]

On 8/20/21 10:57 AM, Endi S. Dewata wrote: Here's a sample PKCS12 generated by NSS 3.67 on Fedora 33 (please unpack with |gunzip|): test.p12.gz <https://github.com/dogtagpki/jss/files/7023321/test.p12.gz>

FYI NSS 3.66/3.67 on RHEL7 and RHEL8 retain the old defaults for PKCS #12, but their pkutil can generate PKCS #12 with different hashes using the -M option. If you are curious, the original NSS patch to change the defaults is here: https://hg.mozilla.org/projects/nss/rev/0a1687e1b39eaf066ff01ecc9b2b1d4db65c6eb4 Decrypting with other than SHA1 hashes were already in the NSS code, but the changes to support encrypting with other than SHA1 hashes may hint at what changes you may need to make to JSS. bob

…

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#796 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEXMMSO57TTLBX22OAXTUG3T52JSJANCNFSM5BRTWQQA>. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email>.

[edewata]

https://bugzilla.redhat.com/show_bug.cgi?id=2017098

[fmarco76]

@edewata @cipherboy @jmagne

Looking at pk12util code (nss-3d83a07f913e) the default algorithm are defined in line 1045-1048 of :cmd/pk12util/pk12util.c

    SECOidTag cipher = SEC_OID_AESA_256_CBC;
    SECOidTag hash = SEC_OID_SHA256;
    SECOidTag certCipher = SEC_OID_AES_128_CBC;

I have tried to replace the algorithm in MacData.java to use these so I could after implement a switch depending on the digest algorithm identified in the origin p12 file.

For the hash it is not a problem but I cannot modify the cipher. I have tried modifying the KeyGenAlgorithm.java to include the new cipher but without success. I get different errors depending on the combination I try.

Additionally, in JSS we have the hash, the digest and the key algorithm, is correct to map KeyGen to the nss cipher and the digest to the certCipher? I have done many tests and start to get confused.

Finally, I have generated a pk12 with OpenSSL and it has different algorithm as default (certCicpher is AES_256_CBC). Is there a method tin JSS to get this information to choose the in reading right one? If not, is it possible to implement using nss api?

[edewata]

@fmarco76 I don't have an answer for that. I'd defer to the others.

[fmarco76]

#889 Fix this issue