<<< Date Index >>>     <<< Thread Index >>>

mutt/2456: some S/MIME smime_keys.pl add_p12 failures



>Number:         2456
>Notify-List:    
>Category:       mutt
>Synopsis:       some S/MIME smime_keys.pl add_p12 failures
>Confidential:   no
>Severity:       minor
>Priority:       low
>Responsible:    mutt-dev
>State:          open
>Keywords:       
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Aug 30 12:06:14 +0200 2006
>Originator:     Alain Bench <veronatif@xxxxxxx>
>Release:        1.5.13
>Organization:
>Environment:
>Description:

Hello,

    The S/MIME helper Perl script smime_keys.pl has some small problems,
needing Perl skilled helpers.

 -1) add_p12 creates and unlinks temp files in the directory of pkcs12
original certificates. It could destroy important file unluckily named
something.pem, or fail if readonly:

| $ ./smime_keys add_p12 readonly-keys-container/cert.p12
|
| NOTE: This will ask you for two passphrases:
|       1. The passphrase you used for exporting
|       2. The passphrase you wish to secure your private key with.
|
| Error opening output file readonly-keys-container/cert.p12.pem
| readonly-keys-container/cert.p12.pem: Permission denied
| '/usr/bin/openssl pkcs12 -in readonly-keys-container/cert.p12 -out \
| readonly-keys-container/cert.p12.pem' returned 256 at ./smime_keys line 111.


 -2) Fails when filenames have spaces:

| $ ./smime_keys add_p12 "My certificate.p12"
|
| NOTE: This will ask you for two passphrases:
|       1. The passphrase you used for exporting
|       2. The passphrase you wish to secure your private key with.
|
| Usage: pkcs12 [options]
| where options are
    [snip OpenSSL options]
| '/usr/bin/openssl pkcs12 -in My certificate.p12 -out My certificate.p12.pem' \
| returned 256 at ./smime_keys line 111.


 -3) Fails when the p12 file contains only client cert (and private
key). May seem a justified failure: Lacking path to root CA. But the
issuer's cert is in fact present in the database, in both
.smime/certificates and ca-bundle.

| $ ./smime_keys add_p12 simple.p12
|
| NOTE: This will ask you for two passphrases:
|       1. The passphrase you used for exporting
|       2. The passphrase you wish to secure your private key with.
|
| Enter Import Password:
| MAC verified OK
| Enter PEM pass phrase:
| Verifying - Enter PEM pass phrase:
| Couldn't identify root certificate!
| No root and no intermediate certificates. Can't continue. at ./smime_keys 
line 662.


 -4) The /usr/bin/openssl command path is hardcoded. It fails if OpenSSL
is installed in /usr/local/bin/ or elsewhere.


 -5) Verification of a database certificate againt a revocation list
fails (grep returns non-0 when there is no match):

| $ ./smime_keys verify 12345678.0 revoke.x509
|
| ==> about to verify certificate of email@xxxxxxxxxxx
|
| /tmp/.smime/certificates/12345678.0: OK
| '/usr/bin/openssl crl -text -noout -in revoke.x509 | grep -A1 
123456789ABCDEF123456789ABCDEF12
| ' returned 256 at ./smime_keys line 875, <INDEX> chunk 1.


Bye!    Alain.
>How-To-Repeat:
>Fix:
>Add-To-Audit-Trail:

>Unformatted: