Re: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)
Dmitry Belyavsky <beldmit@gmail.com> Thu, 05 August 2021 18:57 UTC
Return-Path: <beldmit@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 834183A1E73 for <spasm@ietfa.amsl.com>; Thu, 5 Aug 2021 11:57:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7nM9Ud19JJD3 for <spasm@ietfa.amsl.com>; Thu, 5 Aug 2021 11:57:14 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EF053A1E72 for <spasm@ietf.org>; Thu, 5 Aug 2021 11:57:14 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id c25so11230131ejb.3 for <spasm@ietf.org>; Thu, 05 Aug 2021 11:57:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RDt7FczO7mkNMk9oDxtJOYb9fDKX6OfB6PwhxcWVXMg=; b=LfZc0LU0h2lIo7tccChM+M4i4usT1T3Gj0idvxumLCfLexIRUI9DjktNl/HcpX68uf Ytx7d0L3JxjEoXK+5nspa1AS+ge3oZOlP8rF3Dpo64r+nnKjGEa88nbru0h+dSMpNmYp VC1h62GKRETcGd7Z9cEUjNIf1JX6rfUZHfdhh5aArz6eqoOR4jbhdSXOQwxLE7fqOelS rjXkU6NDsb46ixwel2WikGYSsPzeb5aOrF+hAdAxT90WZ7AxSmz3S2MV6Wc08nxgL5LM RpYFjI/q8W6/bCYZshwt5QnHNLy+JCAXnZi9YhUFp8yWiIWJCtFy0DsrNfDTi9hJRRzq 5UGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RDt7FczO7mkNMk9oDxtJOYb9fDKX6OfB6PwhxcWVXMg=; b=CXPIDHiimESrHK5+LlyMciZWFaHkktv8KIyhlsG8FCdXT6GHrujoGaXWlFthR5mjny f/ikgCly/kAG96RN3uOxqiH965KXN3z45VEFGN6n3OKwUqSUNbHYWK2dkFsXn8tos23+ 0bEzFiBPGabzZScKr2Wi7rTj8NWIQWlMwQO5/EsfJAyv0frJ4c92zTOOCVf5z6lQJFYV 6Cx31N4tR5zKcWqO4sOPYNGiti6YcbBZbfeJeyHdxUjB10lf6TA+sAeVdSSLltAKoecP 5X7eUO+iVdHQup5Dqy5J7mftEGJCfQng/CmRgzE02bazm3mvn+C5Z3lXiCew303TMTN1 B6jg==
X-Gm-Message-State: AOAM531bDu1Gnpud92wzQ/PG18xYDPCAumo99W/BKINx7hrwsSAFFxkZ 54vrkcCmqUEJec3u38nF4YBx8XmRmsh1S/T5rmc=
X-Google-Smtp-Source: ABdhPJzANMHlxFB9VmsKjbNJ8WxCp27E4W0GRg8teSQH1ytrO3B7aYVICv6EgPllGnQ6bBN9FK+pOL3UfIaPy8vp3/I=
X-Received: by 2002:a17:906:4e85:: with SMTP id v5mr6179416eju.159.1628189832239; Thu, 05 Aug 2021 11:57:12 -0700 (PDT)
MIME-Version: 1.0
References: <87czr0ww0d.fsf@fifthhorseman.net> <FF939B28-528B-47F9-9C0C-6585D1B02FBE@vigilsec.com> <87mtq3ukk0.fsf@fifthhorseman.net> <CAErg=HHQMZ1jk+bVxA=MzVvW+9ucie7bu-N6O8Asnp0V8Rf9Bg@mail.gmail.com> <30546.1627850836@localhost> <CAErg=HHKL-E5yT0UnPKcLfMQU41iDg7GGgjsSXs3eRg8daJRkg@mail.gmail.com> <87wnp347iu.fsf@fifthhorseman.net> <1388.1627996026@localhost> <87pmuu42hf.fsf@fifthhorseman.net> <87mtpy3zkl.fsf@fifthhorseman.net> <CAErg=HFvQ=5jN+BoDL-W33iYxHoPULov4TEzqYf9nONbtnANJQ@mail.gmail.com> <87a6lw4syd.fsf@fifthhorseman.net> <CADqLbzJjo0vJMLMoWEGjGT0aqyP2epabncEFx-uj-d6ZFB-CXA@mail.gmail.com> <8735rn529n.fsf@fifthhorseman.net>
In-Reply-To: <8735rn529n.fsf@fifthhorseman.net>
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Thu, 05 Aug 2021 20:57:01 +0200
Message-ID: <CADqLbzL4CTsFzYfs-OO+rZtsPHFRm_2D-YfcA2pRkzi6yQ_sQw@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000093dc8b05c8d47cc4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/6t3wUeN5iXicXtFovY0YkcBX-vE>
Subject: Re: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2021 18:57:20 -0000
Dear Daniel, On Thu, Aug 5, 2021 at 8:34 PM Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > On Thu 2021-08-05 14:48:58 +0200, Dmitry Belyavsky wrote: > > > It's not my repo, it's a Red Hat PKCS12 test corpse :) > > Thanks for the clarification, and the history about it. :) It's > distressing to learn that there are no implementations capable of > importing all of the objects in this repo. > Malformed files were created by NSS and are not expected to be importable by anything but NSS, so just that alone means no implementation will be able to import all of them. The malformed files are there as NSS has special code to handle those malformed files. and since those include stuff like aes-128-cbc (i.e. quite sensible choice) they may happen "in the wild" but realistically only NSS needs to read them. NSS should accept these files and all the others except those encrypted with the algorithms unsupported by NSS (seed, blowfish). GnuTLS also supports only a limited set of algorithms for PKCS#12. OpenSSL is able to import pretty much all of them and here's a PR for openssl that tries to include it in the upstream CI: https://github.com/openssl/openssl/pull/15188 > > Has anyone set up an interoperability test suite to document which tools > fail in which ways, or filed bug reports against the different > implementations that fail? > > The four F/LOSS pksc12 implementations that seem straightforward to test > in an automated way are: > > - "certtool --p12-info" from GnuTLS > - "openssl pkcs12" from OpenSSL > - "pk12util" and "certutil" from NSS > - "keytool" from the Java JDK > We do test all those 3 libraries with those files, and file bugs to add support for missing things (e.g. https://gitlab.com/gnutls/gnutls/-/issues/723 and https://gitlab.com/gnutls/gnutls/-/issues/724) We don't run our tests against the keytool. > Are there other tools i should consider testing? Does anyone know of an > automated way of testing macOS's Keychain Access, or the Windows > equivalent? > > > On Thu, Aug 5, 2021 at 2:49 AM Daniel Kahn Gillmor < > dkg@fifthhorseman.net> wrote: > > > >> I'll set aside the multiple-key case for now, to focus for the moment > >> on a single-private-key use case so that we can try to evaluate > >> encodings. > > > > I've never seen PKCS12 with multiple private keys so I totally agree > > with you. > > I encourage you to read draft-ietf-lamps-samples 😉, which has included > these objects since February 17th of this year (back when it was > draft-dkg-lamps-samples-03)! > My fault :) -- SY, Dmitry Belyavsky
- [lamps] draft-ietf-lamps-samples: PKCS12 expertis… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Russ Housley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Salz, Rich
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Russ Housley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Michael Richardson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Deb Cooley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Tomas Gustavsson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… David Woodhouse
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Dmitry Belyavsky
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Michael Richardson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Michael Richardson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- [lamps] On the need for standardization of softwa… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Stephen Farrell
- Re: [lamps] On the need for standardization of so… Tomas Gustavsson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Dmitry Belyavsky
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Dmitry Belyavsky
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] On the need for standardization of so… Eliot Lear
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] On the need for standardization of so… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Salz, Rich
- Re: [lamps] On the need for standardization of so… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Bernie Hoeneisen
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Ryan Sleevi
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] On the need for standardization of so… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- [lamps] Transferring cryptographic information in… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Dmitry Belyavsky
- Re: [lamps] On the need for standardization of so… David Woodhouse
- Re: [lamps] On the need for standardization of so… David Woodhouse
- Re: [lamps] On the need for standardization of so… Stephen Farrell
- Re: [lamps] On the need for standardization of so… Ryan Sleevi
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] Transferring cryptographic informatio… Michael Richardson
- Re: [lamps] On the need for standardization of so… Dmitry Belyavsky
- Re: [lamps] On the need for standardization of so… Michael Richardson
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Ryan Sleevi
- Re: [lamps] On the need for standardization of so… Jonathan Hammell
- Re: [lamps] On the need for standardization of so… Russ Housley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Russ Housley
- Re: [lamps] draft-ietf-lamps-samples: PKCS12 expe… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Daniel Kahn Gillmor
- Re: [lamps] On the need for standardization of so… Russ Housley
- Re: [lamps] On the need for standardization of so… Deb Cooley
- Re: [lamps] On the need for standardization of so… Carl Wallace
- Re: [lamps] On the need for standardization of so… Deb Cooley
- Re: [lamps] On the need for standardization of so… Russ Housley
- Re: [lamps] On the need for standardization of so… Dmitry Belyavsky
- [lamps] advertising multiple S/MIME encryption-ca… Daniel Kahn Gillmor