<<< Date Index >>>     <<< Thread Index >>>

Re: [Mutt] #2456: some S/MIME smime_keys.pl add_p12 failures



#2456: some S/MIME smime_keys.pl add_p12 failures
----------------------------------------------+-----------------------------
  Reporter:  Alain Bench <veronatif@xxxxxxx>  |       Owner:  mutt-dev
      Type:  defect                           |      Status:  new     
  Priority:  trivial                          |   Milestone:          
 Component:  crypto                           |     Version:  1.5.13  
Resolution:                                   |    Keywords:          
----------------------------------------------+-----------------------------
Changes (by pdmef):

  * component:  mutt => crypto


Old description:

> {{{
>
> Hello,
>
>     The S/MIME helper Perl script smime_keys.pl has some small problems,
> needing Perl skilled helpers.
>
>  -1) add_p12 creates and unlinks temp files in the directory of pkcs12
> original certificates. It could destroy important file unluckily named
> something.pem, or fail if readonly:
>
> | $ ./smime_keys add_p12 readonly-keys-container/cert.p12
> |
> | NOTE: This will ask you for two passphrases:
> |       1. The passphrase you used for exporting
> |       2. The passphrase you wish to secure your private key with.
> |
> | Error opening output file readonly-keys-container/cert.p12.pem
> | readonly-keys-container/cert.p12.pem: Permission denied
> | '/usr/bin/openssl pkcs12 -in readonly-keys-container/cert.p12 -out \
> | readonly-keys-container/cert.p12.pem' returned 256 at ./smime_keys line
> 111.
>

>  -2) Fails when filenames have spaces:
>
> | $ ./smime_keys add_p12 "My certificate.p12"
> |
> | NOTE: This will ask you for two passphrases:
> |       1. The passphrase you used for exporting
> |       2. The passphrase you wish to secure your private key with.
> |
> | Usage: pkcs12 [options]
> | where options are
>     [snip OpenSSL options]
> | '/usr/bin/openssl pkcs12 -in My certificate.p12 -out My
> certificate.p12.pem' \
> | returned 256 at ./smime_keys line 111.
>

>  -3) Fails when the p12 file contains only client cert (and private
> key). May seem a justified failure: Lacking path to root CA. But the
> issuer's cert is in fact present in the database, in both
> .smime/certificates and ca-bundle.
>
> | $ ./smime_keys add_p12 simple.p12
> |
> | NOTE: This will ask you for two passphrases:
> |       1. The passphrase you used for exporting
> |       2. The passphrase you wish to secure your private key with.
> |
> | Enter Import Password:
> | MAC verified OK
> | Enter PEM pass phrase:
> | Verifying - Enter PEM pass phrase:
> | Couldn't identify root certificate!
> | No root and no intermediate certificates. Can't continue. at
> ./smime_keys line 662.
>

>  -4) The /usr/bin/openssl command path is hardcoded. It fails if OpenSSL
> is installed in /usr/local/bin/ or elsewhere.
>

>  -5) Verification of a database certificate againt a revocation list
> fails (grep returns non-0 when there is no match):
>
> | $ ./smime_keys verify 12345678.0 revoke.x509
> |
> | ==> about to verify certificate of email@xxxxxxxxxxx
> |
> | /tmp/.smime/certificates/12345678.0: OK
> | '/usr/bin/openssl crl -text -noout -in revoke.x509 | grep -A1
> 123456789ABCDEF123456789ABCDEF12
> | ' returned 256 at ./smime_keys line 875, <INDEX> chunk 1.
>

> Bye!    Alain.
> >How-To-Repeat:
> >Fix:
> }}}

New description:

 {{{

 Hello,

     The S/MIME helper Perl script smime_keys.pl has some small problems,
 needing Perl skilled helpers.

  -1) add_p12 creates and unlinks temp files in the directory of pkcs12
 original certificates. It could destroy important file unluckily named
 something.pem, or fail if readonly:

 | $ ./smime_keys add_p12 readonly-keys-container/cert.p12
 |
 | NOTE: This will ask you for two passphrases:
 |       1. The passphrase you used for exporting
 |       2. The passphrase you wish to secure your private key with.
 |
 | Error opening output file readonly-keys-container/cert.p12.pem
 | readonly-keys-container/cert.p12.pem: Permission denied
 | '/usr/bin/openssl pkcs12 -in readonly-keys-container/cert.p12 -out \
 | readonly-keys-container/cert.p12.pem' returned 256 at ./smime_keys line
 111.


  -2) Fails when filenames have spaces:

 | $ ./smime_keys add_p12 "My certificate.p12"
 |
 | NOTE: This will ask you for two passphrases:
 |       1. The passphrase you used for exporting
 |       2. The passphrase you wish to secure your private key with.
 |
 | Usage: pkcs12 [options]
 | where options are
     [snip OpenSSL options]
 | '/usr/bin/openssl pkcs12 -in My certificate.p12 -out My
 certificate.p12.pem' \
 | returned 256 at ./smime_keys line 111.


  -3) Fails when the p12 file contains only client cert (and private
 key). May seem a justified failure: Lacking path to root CA. But the
 issuer's cert is in fact present in the database, in both
 .smime/certificates and ca-bundle.

 | $ ./smime_keys add_p12 simple.p12
 |
 | NOTE: This will ask you for two passphrases:
 |       1. The passphrase you used for exporting
 |       2. The passphrase you wish to secure your private key with.
 |
 | Enter Import Password:
 | MAC verified OK
 | Enter PEM pass phrase:
 | Verifying - Enter PEM pass phrase:
 | Couldn't identify root certificate!
 | No root and no intermediate certificates. Can't continue. at
 ./smime_keys line 662.


  -4) The /usr/bin/openssl command path is hardcoded. It fails if OpenSSL
 is installed in /usr/local/bin/ or elsewhere.


  -5) Verification of a database certificate againt a revocation list
 fails (grep returns non-0 when there is no match):

 | $ ./smime_keys verify 12345678.0 revoke.x509
 |
 | ==> about to verify certificate of email@xxxxxxxxxxx
 |
 | /tmp/.smime/certificates/12345678.0: OK
 | '/usr/bin/openssl crl -text -noout -in revoke.x509 | grep -A1
 123456789ABCDEF123456789ABCDEF12
 | ' returned 256 at ./smime_keys line 875, <INDEX> chunk 1.


 Bye!    Alain.
 >How-To-Repeat:
 >Fix:
 }}}

--

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/2456#comment:1>
Mutt <http://www.mutt.org/>
The Mutt mail user agent