mutt/2456: some S/MIME smime_keys.pl add_p12 failures
>Number: 2456
>Notify-List:
>Category: mutt
>Synopsis: some S/MIME smime_keys.pl add_p12 failures
>Confidential: no
>Severity: minor
>Priority: low
>Responsible: mutt-dev
>State: open
>Keywords:
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Aug 30 12:06:14 +0200 2006
>Originator: Alain Bench <veronatif@xxxxxxx>
>Release: 1.5.13
>Organization:
>Environment:
>Description:
Hello,
The S/MIME helper Perl script smime_keys.pl has some small problems,
needing Perl skilled helpers.
-1) add_p12 creates and unlinks temp files in the directory of pkcs12
original certificates. It could destroy important file unluckily named
something.pem, or fail if readonly:
| $ ./smime_keys add_p12 readonly-keys-container/cert.p12
|
| NOTE: This will ask you for two passphrases:
| 1. The passphrase you used for exporting
| 2. The passphrase you wish to secure your private key with.
|
| Error opening output file readonly-keys-container/cert.p12.pem
| readonly-keys-container/cert.p12.pem: Permission denied
| '/usr/bin/openssl pkcs12 -in readonly-keys-container/cert.p12 -out \
| readonly-keys-container/cert.p12.pem' returned 256 at ./smime_keys line 111.
-2) Fails when filenames have spaces:
| $ ./smime_keys add_p12 "My certificate.p12"
|
| NOTE: This will ask you for two passphrases:
| 1. The passphrase you used for exporting
| 2. The passphrase you wish to secure your private key with.
|
| Usage: pkcs12 [options]
| where options are
[snip OpenSSL options]
| '/usr/bin/openssl pkcs12 -in My certificate.p12 -out My certificate.p12.pem' \
| returned 256 at ./smime_keys line 111.
-3) Fails when the p12 file contains only client cert (and private
key). May seem a justified failure: Lacking path to root CA. But the
issuer's cert is in fact present in the database, in both
.smime/certificates and ca-bundle.
| $ ./smime_keys add_p12 simple.p12
|
| NOTE: This will ask you for two passphrases:
| 1. The passphrase you used for exporting
| 2. The passphrase you wish to secure your private key with.
|
| Enter Import Password:
| MAC verified OK
| Enter PEM pass phrase:
| Verifying - Enter PEM pass phrase:
| Couldn't identify root certificate!
| No root and no intermediate certificates. Can't continue. at ./smime_keys
line 662.
-4) The /usr/bin/openssl command path is hardcoded. It fails if OpenSSL
is installed in /usr/local/bin/ or elsewhere.
-5) Verification of a database certificate againt a revocation list
fails (grep returns non-0 when there is no match):
| $ ./smime_keys verify 12345678.0 revoke.x509
|
| ==> about to verify certificate of email@xxxxxxxxxxx
|
| /tmp/.smime/certificates/12345678.0: OK
| '/usr/bin/openssl crl -text -noout -in revoke.x509 | grep -A1
123456789ABCDEF123456789ABCDEF12
| ' returned 256 at ./smime_keys line 875, <INDEX> chunk 1.
Bye! Alain.
>How-To-Repeat:
>Fix:
>Add-To-Audit-Trail:
>Unformatted: