Error: Bad length of salt (32) for AES when importing a p12 certificate

Jakob Bohm jb-gnumlists at wisemo.com
Fri Sep 20 17:13:56 CEST 2024 

Dear Nils,

Given the error message in the subject line above, the step to reproduce 
may be to pass 32 instead of 64 to the openssl command that makes the 
test certificate.

Otherwise, look for a command that can dump out the formatting details 
of the (non-distributable) problematic pkcs12 file to see what values it 
actually uses.

On 2024-09-20 12:02, Nils Schween wrote:
>> Given the brittleness of pkcs#12/minip12.c I would really appricate to
>> have a sample file.  But the worst thing which could happen is that the
>> 64 bit salt does not work anymore in the future.  It is unlikey, though.
> I do understand. I tried to create one this morning, but I was not able
> to reproduce the error when importing my self created certificate.
>
> I used the following commands to create the certificate:
>
> openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -sha384 -days 365 -out certificate.pem
>
> openssl pkcs12 -inkey key.pem -in certificate.pem -export -macsaltlen 64 -iter 20000 -out certificate.p12
>
> To compare my own certificate with the one issued by the certificate
> provider I used the following two commands:
>
> openssl pkcs12 -in certificate.p12 -noout -info
> openssl x509 -text -noout -in certificate.p12
>
> I could not find any significant difference in the output. Though the
> one from the certificate provider causes the error when imported with
> gpgsm while my own certificate does not.
>
> Since I am not very knowledgeable when it comes to S/MIME certificates,
> it is riddle to me why the error appears: My certificate and the one
> from the provider have a salt length of 64bit and that was the only
> thing I changed in minip12.c
>
> So, I have to say that I am sorry, I cannot reproduce the error with a
> self-created certificate.
>
>> Please give me some days to apply the patch.
> No hurry, for now I have a personal work around.
>
> Thank you,
> Nils
>
> Werner Koch <wk at gnupg.org> writes:
>
>> On Thu, 19 Sep 2024 13:42, Nils Schween said:
>>
>>> If it is necessary, I can try to create a certificate with openssl, that
>>> reproduces the error.
>> Given the brittleness of pkcs#12/minip12.c I would really appricate to
>> have a sample file.  But the worst thing which could happen is that the
>> 64 bit salt does not work anymore in the future.  It is unlikey, though.
>>
>> Please give me some days to apply the patch.
>>
>>
>> Salam-Shalom,
>>
>>     Werner

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the Gnupg-users mailing list