Re: [Mutt] #2456: some S/MIME smime_keys.pl add_p12 failures
#2456: some S/MIME smime_keys.pl add_p12 failures
----------------------------------------------+-----------------------------
Reporter: Alain Bench <veronatif@xxxxxxx> | Owner: mutt-dev
Type: defect | Status: new
Priority: trivial | Milestone:
Component: crypto | Version: 1.5.13
Resolution: | Keywords:
----------------------------------------------+-----------------------------
Changes (by pdmef):
* component: mutt => crypto
Old description:
> {{{
>
> Hello,
>
> The S/MIME helper Perl script smime_keys.pl has some small problems,
> needing Perl skilled helpers.
>
> -1) add_p12 creates and unlinks temp files in the directory of pkcs12
> original certificates. It could destroy important file unluckily named
> something.pem, or fail if readonly:
>
> | $ ./smime_keys add_p12 readonly-keys-container/cert.p12
> |
> | NOTE: This will ask you for two passphrases:
> | 1. The passphrase you used for exporting
> | 2. The passphrase you wish to secure your private key with.
> |
> | Error opening output file readonly-keys-container/cert.p12.pem
> | readonly-keys-container/cert.p12.pem: Permission denied
> | '/usr/bin/openssl pkcs12 -in readonly-keys-container/cert.p12 -out \
> | readonly-keys-container/cert.p12.pem' returned 256 at ./smime_keys line
> 111.
>
> -2) Fails when filenames have spaces:
>
> | $ ./smime_keys add_p12 "My certificate.p12"
> |
> | NOTE: This will ask you for two passphrases:
> | 1. The passphrase you used for exporting
> | 2. The passphrase you wish to secure your private key with.
> |
> | Usage: pkcs12 [options]
> | where options are
> [snip OpenSSL options]
> | '/usr/bin/openssl pkcs12 -in My certificate.p12 -out My
> certificate.p12.pem' \
> | returned 256 at ./smime_keys line 111.
>
> -3) Fails when the p12 file contains only client cert (and private
> key). May seem a justified failure: Lacking path to root CA. But the
> issuer's cert is in fact present in the database, in both
> .smime/certificates and ca-bundle.
>
> | $ ./smime_keys add_p12 simple.p12
> |
> | NOTE: This will ask you for two passphrases:
> | 1. The passphrase you used for exporting
> | 2. The passphrase you wish to secure your private key with.
> |
> | Enter Import Password:
> | MAC verified OK
> | Enter PEM pass phrase:
> | Verifying - Enter PEM pass phrase:
> | Couldn't identify root certificate!
> | No root and no intermediate certificates. Can't continue. at
> ./smime_keys line 662.
>
> -4) The /usr/bin/openssl command path is hardcoded. It fails if OpenSSL
> is installed in /usr/local/bin/ or elsewhere.
>
> -5) Verification of a database certificate againt a revocation list
> fails (grep returns non-0 when there is no match):
>
> | $ ./smime_keys verify 12345678.0 revoke.x509
> |
> | ==> about to verify certificate of email@xxxxxxxxxxx
> |
> | /tmp/.smime/certificates/12345678.0: OK
> | '/usr/bin/openssl crl -text -noout -in revoke.x509 | grep -A1
> 123456789ABCDEF123456789ABCDEF12
> | ' returned 256 at ./smime_keys line 875, <INDEX> chunk 1.
>
> Bye! Alain.
> >How-To-Repeat:
> >Fix:
> }}}
New description:
{{{
Hello,
The S/MIME helper Perl script smime_keys.pl has some small problems,
needing Perl skilled helpers.
-1) add_p12 creates and unlinks temp files in the directory of pkcs12
original certificates. It could destroy important file unluckily named
something.pem, or fail if readonly:
| $ ./smime_keys add_p12 readonly-keys-container/cert.p12
|
| NOTE: This will ask you for two passphrases:
| 1. The passphrase you used for exporting
| 2. The passphrase you wish to secure your private key with.
|
| Error opening output file readonly-keys-container/cert.p12.pem
| readonly-keys-container/cert.p12.pem: Permission denied
| '/usr/bin/openssl pkcs12 -in readonly-keys-container/cert.p12 -out \
| readonly-keys-container/cert.p12.pem' returned 256 at ./smime_keys line
111.
-2) Fails when filenames have spaces:
| $ ./smime_keys add_p12 "My certificate.p12"
|
| NOTE: This will ask you for two passphrases:
| 1. The passphrase you used for exporting
| 2. The passphrase you wish to secure your private key with.
|
| Usage: pkcs12 [options]
| where options are
[snip OpenSSL options]
| '/usr/bin/openssl pkcs12 -in My certificate.p12 -out My
certificate.p12.pem' \
| returned 256 at ./smime_keys line 111.
-3) Fails when the p12 file contains only client cert (and private
key). May seem a justified failure: Lacking path to root CA. But the
issuer's cert is in fact present in the database, in both
.smime/certificates and ca-bundle.
| $ ./smime_keys add_p12 simple.p12
|
| NOTE: This will ask you for two passphrases:
| 1. The passphrase you used for exporting
| 2. The passphrase you wish to secure your private key with.
|
| Enter Import Password:
| MAC verified OK
| Enter PEM pass phrase:
| Verifying - Enter PEM pass phrase:
| Couldn't identify root certificate!
| No root and no intermediate certificates. Can't continue. at
./smime_keys line 662.
-4) The /usr/bin/openssl command path is hardcoded. It fails if OpenSSL
is installed in /usr/local/bin/ or elsewhere.
-5) Verification of a database certificate againt a revocation list
fails (grep returns non-0 when there is no match):
| $ ./smime_keys verify 12345678.0 revoke.x509
|
| ==> about to verify certificate of email@xxxxxxxxxxx
|
| /tmp/.smime/certificates/12345678.0: OK
| '/usr/bin/openssl crl -text -noout -in revoke.x509 | grep -A1
123456789ABCDEF123456789ABCDEF12
| ' returned 256 at ./smime_keys line 875, <INDEX> chunk 1.
Bye! Alain.
>How-To-Repeat:
>Fix:
}}}
--
--
Ticket URL: <http://dev.mutt.org/trac/ticket/2456#comment:1>
Mutt <http://www.mutt.org/>
The Mutt mail user agent