IETF Logo Mail Archive

Re: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)

Dmitry Belyavsky <beldmit@gmail.com> Thu, 05 August 2021 18:57 UTC

Return-Path: <beldmit@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 834183A1E73 for <spasm@ietfa.amsl.com>; Thu, 5 Aug 2021 11:57:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7nM9Ud19JJD3 for <spasm@ietfa.amsl.com>; Thu, 5 Aug 2021 11:57:14 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EF053A1E72 for <spasm@ietf.org>; Thu, 5 Aug 2021 11:57:14 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id c25so11230131ejb.3 for <spasm@ietf.org>; Thu, 05 Aug 2021 11:57:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RDt7FczO7mkNMk9oDxtJOYb9fDKX6OfB6PwhxcWVXMg=; b=LfZc0LU0h2lIo7tccChM+M4i4usT1T3Gj0idvxumLCfLexIRUI9DjktNl/HcpX68uf Ytx7d0L3JxjEoXK+5nspa1AS+ge3oZOlP8rF3Dpo64r+nnKjGEa88nbru0h+dSMpNmYp VC1h62GKRETcGd7Z9cEUjNIf1JX6rfUZHfdhh5aArz6eqoOR4jbhdSXOQwxLE7fqOelS rjXkU6NDsb46ixwel2WikGYSsPzeb5aOrF+hAdAxT90WZ7AxSmz3S2MV6Wc08nxgL5LM RpYFjI/q8W6/bCYZshwt5QnHNLy+JCAXnZi9YhUFp8yWiIWJCtFy0DsrNfDTi9hJRRzq 5UGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RDt7FczO7mkNMk9oDxtJOYb9fDKX6OfB6PwhxcWVXMg=; b=CXPIDHiimESrHK5+LlyMciZWFaHkktv8KIyhlsG8FCdXT6GHrujoGaXWlFthR5mjny f/ikgCly/kAG96RN3uOxqiH965KXN3z45VEFGN6n3OKwUqSUNbHYWK2dkFsXn8tos23+ 0bEzFiBPGabzZScKr2Wi7rTj8NWIQWlMwQO5/EsfJAyv0frJ4c92zTOOCVf5z6lQJFYV 6Cx31N4tR5zKcWqO4sOPYNGiti6YcbBZbfeJeyHdxUjB10lf6TA+sAeVdSSLltAKoecP 5X7eUO+iVdHQup5Dqy5J7mftEGJCfQng/CmRgzE02bazm3mvn+C5Z3lXiCew303TMTN1 B6jg==
X-Gm-Message-State: AOAM531bDu1Gnpud92wzQ/PG18xYDPCAumo99W/BKINx7hrwsSAFFxkZ 54vrkcCmqUEJec3u38nF4YBx8XmRmsh1S/T5rmc=
X-Google-Smtp-Source: ABdhPJzANMHlxFB9VmsKjbNJ8WxCp27E4W0GRg8teSQH1ytrO3B7aYVICv6EgPllGnQ6bBN9FK+pOL3UfIaPy8vp3/I=
X-Received: by 2002:a17:906:4e85:: with SMTP id v5mr6179416eju.159.1628189832239; Thu, 05 Aug 2021 11:57:12 -0700 (PDT)
MIME-Version: 1.0
References: <87czr0ww0d.fsf@fifthhorseman.net> <FF939B28-528B-47F9-9C0C-6585D1B02FBE@vigilsec.com> <87mtq3ukk0.fsf@fifthhorseman.net> <CAErg=HHQMZ1jk+bVxA=MzVvW+9ucie7bu-N6O8Asnp0V8Rf9Bg@mail.gmail.com> <30546.1627850836@localhost> <CAErg=HHKL-E5yT0UnPKcLfMQU41iDg7GGgjsSXs3eRg8daJRkg@mail.gmail.com> <87wnp347iu.fsf@fifthhorseman.net> <1388.1627996026@localhost> <87pmuu42hf.fsf@fifthhorseman.net> <87mtpy3zkl.fsf@fifthhorseman.net> <CAErg=HFvQ=5jN+BoDL-W33iYxHoPULov4TEzqYf9nONbtnANJQ@mail.gmail.com> <87a6lw4syd.fsf@fifthhorseman.net> <CADqLbzJjo0vJMLMoWEGjGT0aqyP2epabncEFx-uj-d6ZFB-CXA@mail.gmail.com> <8735rn529n.fsf@fifthhorseman.net>
In-Reply-To: <8735rn529n.fsf@fifthhorseman.net>
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Thu, 05 Aug 2021 20:57:01 +0200
Message-ID: <CADqLbzL4CTsFzYfs-OO+rZtsPHFRm_2D-YfcA2pRkzi6yQ_sQw@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000093dc8b05c8d47cc4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/6t3wUeN5iXicXtFovY0YkcBX-vE>
Subject: Re: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2021 18:57:20 -0000

Dear Daniel,

On Thu, Aug 5, 2021 at 8:34 PM Daniel Kahn Gillmor <dkg@fifthhorseman.net>
wrote:

> On Thu 2021-08-05 14:48:58 +0200, Dmitry Belyavsky wrote:
>
> > It's not my repo, it's a Red Hat PKCS12 test corpse :)
>
> Thanks for the clarification, and the history about it. :)  It's
> distressing to learn that there are no implementations capable of
> importing all of the objects in this repo.
>

Malformed files were created by NSS and are not expected to be importable
by anything but NSS, so just that alone means no implementation will be
able to import all of them.
The malformed files are there as NSS has special code to handle those
malformed files.
and since those include stuff like aes-128-cbc (i.e. quite sensible choice)
they may happen "in the wild" but realistically only NSS needs to read them.

NSS should accept these files and all the others except those encrypted
with the algorithms unsupported by NSS (seed, blowfish).
GnuTLS also supports only a limited set of algorithms for PKCS#12.

OpenSSL is able to import pretty much all of them and here's a PR for
openssl that tries to include it in the upstream CI:
https://github.com/openssl/openssl/pull/15188


>
> Has anyone set up an interoperability test suite to document which tools
> fail in which ways, or filed bug reports against the different
> implementations that fail?
>
> The four F/LOSS pksc12 implementations that seem straightforward to test
> in an automated way are:
>
>  - "certtool --p12-info" from GnuTLS
>  - "openssl pkcs12" from OpenSSL
>  - "pk12util" and "certutil" from NSS
>  - "keytool" from the Java JDK
>

We do test all those 3 libraries with those files, and file bugs to add
support for missing things
(e.g. https://gitlab.com/gnutls/gnutls/-/issues/723 and
https://gitlab.com/gnutls/gnutls/-/issues/724)

We don't run our tests against the keytool.


> Are there other tools i should consider testing?  Does anyone know of an
> automated way of testing macOS's Keychain Access, or the Windows
> equivalent?
>
> > On Thu, Aug 5, 2021 at 2:49 AM Daniel Kahn Gillmor <
> dkg@fifthhorseman.net> wrote:
> >
> >> I'll set aside the multiple-key case for now, to focus for the moment
> >> on a single-private-key use case so that we can try to evaluate
> >> encodings.
> >
> > I've never seen PKCS12 with multiple private keys so I totally agree
> > with you.
>
> I encourage you to read draft-ietf-lamps-samples 😉, which has included
> these objects since February 17th of this year (back when it was
> draft-dkg-lamps-samples-03)!
>

My fault :)

-- 
SY, Dmitry Belyavsky

v2.23.0 | Report a Bug | By Email