[gnutls-devel] GnuTLS | PBKDF2 doesn't work with all SHA-2 hashes or MD5 (#723)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Mar 5 18:35:51 CET 2019 

New Issue was created.

Issue 723: https://gitlab.com/gnutls/gnutls/issues/723
Author:    Hubert Kario
Assignee:  

## Description of problem:
in PKCS#12 files, PBES2 with PBKDF2 with hmacWithSHA512, hmacWithSHA384, hmacWithSHA224 or hmacWithMD5 PRF does not work

## Version of gnutls used:
gnutls-3.6.5-1.el8.x86_64

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
RHEL

## How reproducible:


 * download https://github.com/redhat-qe-security/keyfile-corpus
 * run `certtool --p12-info --inder --infile 'keyfile-corpus-keyfiles-0.1.3/rsa(2048,sha256),cert&key(PBES2(PBKDF2(salt(64),iter(1000000),keyLen(default),prf(hmacWithSHA512)),aes-256-cbc(IV(16)))),mac(sha512,salt(64),iter(1000000)),pass(ascii).p12' --password 'Red Hat Enterprise Linux 7.4'`
 * run `certtool --p12-info --inder --infile 'keyfile-corpus-keyfiles-0.1.3/rsa(2048,sha256),cert&key(PBES2(PBKDF2(salt(8),iter(2048),keyLen(default),prf(hmacWithMD5)),aes-128-cbc(IV(16)))),mac(sha1,salt(8),iter(2048)),pass(ascii).p12' --password 'Red Hat Enterprise Linux 7.4'`
 * run `certtool --p12-info --inder --infile 'keyfile-corpus-keyfiles-0.1.3/rsa(2048,sha256),cert&key(PBES2(PBKDF2(salt(8),iter(2048),keyLen(default),prf(hmacWithSHA224)),aes-128-cbc(IV(16)))),mac(sha1,salt(8),iter(2048)),pass(ascii).p12' --password 'Red Hat Enterprise Linux 7.4'`
 * etc.

## Actual results:
```
bag_decrypt: The hash algorithm is unknown.
There were errors parsing the structure
MAC info:
	MAC: SHA1 (1.3.14.3.2.26)
	Salt: a9e4a4ff82fcc30b
	Salt size: 8
	Iteration count: 2048

BAG #0
	Type: Encrypted
	Cipher: AES-128-CBC
	Schema: PBES2-AES128-CBC (2.16.840.1.101.3.4.1.2)
	Salt: 38cc590051f7c4e4
	Salt size: 8
	Iteration count: 2048

	Decrypting...

BAG #1
	Elements: 1
	Type: PKCS #8 Encrypted key
	PKCS #8 information:
		Cipher: AES-128-CBC
		Schema: PBES2-AES128-CBC (2.16.840.1.101.3.4.1.2)
		Salt: 5369a4e334531320
		Salt size: 8
		Iteration count: 2048

	Friendly name: localhost
	Key ID: E3:76:B4:62:05:2B:2F:D4:B9:12:5B:B0:EA:E0:4F:10:C8:C0:C5:B0
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIU2mk4zRTEyACAggA
MAwGCCqGSIb3DQIIBQAwHQYJYIZIAWUDBAECBBAgdxbvUGAApqxH2FVPOldABIIE
0JJ4SXh8mxEk0MA+zVhfW9y2PXyL3vm2/3SI7U0hc9d3OCZtgFu3al1CN9PbfqZ9
DcG0ddTY3WY8wpNlWErPeYlRuNVFCpK++pWCrFjZAftRVaJlQQS0okf+idmfSv8E
5fSo8RoyXzPOmzgh0YUpaYT0iSE1YeJ0LTIjk1ZYeNoZbQFMUgoQZgRE04i9pCBX
UdlXlGjJeGSykNEcRFFBpr6yA+kkWJecjQeGbk8dnUO9nyN10UzJ0Ly7v9pR7Eaq
jJTk3dqusCn4ViPWxmj3fY+/+GEhe9+sVgxVhtBanb0NAXc3HQ8Dcz2vyPLI1rfJ
wTxDyGLD/6sVQAZYhYh5BVOaWCIRUOPkxtXfH990+1pTN90ySvVxMuIypJvvPULW
Ik+w94xOiYMSuxe1DFQjRRBxOjVXZLGHmgzUREevti81g80FCOnKO0Nivg/WcLKq
2AhOQv3TvnTfu3WbFF7Ddyp56IXynUaxhyqxGstMZ/0+PL0To1zfPnWY88BJn0co
TPRIiuFC8Ggt7IirrXm8MvuShvEeh9V1X0UOhOXZEZTFu+xlLNaaT6LcIJ0xuRtn
R90sSqra4hzyG0HlqjA/fqmO2wExDZGyou3ghpGczx7VEFlLxDUPTsANC63Z+EIs
WeVrXfpYt1J+5WzNSYCAopLKisCaamKVO9n0SO0Bm9nBglRvNmXi9OBtBE5ZX0/J
VYF3QzgiU0rItUqszVM5Rzkdc1pdc1zCs/G+W+F0G3OmfhsHE9RLS31g9YzAEFSW
nMMVsFQ1GpyIV2ajl4wiP7+KJ4eniX1xJ7mM9toMY6ZUmmY6Qopg2TueWxXB3hm6
6eETjutu5pCnZIJ49CH111OgGS5jMt17Lv8fAWHpHOwHUOMX/csTOir9GXfTo0HV
PA2dLDwK+f8Vl+BsgBiKqRlgMYYOiZPM7Op3JJS9gTgf4T1dQiy5j4Uq0PWvAfof
A10hK/Y6ESJvHojrDrN/c5dKfT+qrAlQJR1T8jCanGWxf4DLcbM68pdiJM89WSBb
Xa+zJdnYXZdt3XkoxGwjfsvJfd51ho2A0E6E4wIrLo1/w32Vnhza/Kb2icN/pMTA
kIaU81XTXwPjvI70yqlHM6Qakam1mXvjVXS923XPOMa/0mlX/L7uh6zlm3AYwXJa
cFoxAkrWea0baa6nnT77rEJUwm3yYfTLAop8zdnjr2TJyspptA1dcqBSDsFRZWCU
hU1hSMk71dUSuBtwNevwF9hRY4DT3CTfG8cDADA7At3Z4UcbXH61d4M4seyqew52
1OulIa0sQGlDJKt2h2rglwpwMHkZszSA5Yu4iG20HODXZVPe6qApTUWd4YXIj1xy
uLRVF/jubWOXfXI11r1UACEQnfZvqNL7Y3+EP41dOO5yu8IIBAtM+ESg69MqfDQc
mA+4Tr3C7H8bw66cyek8+zq0uXQPBxFv2c4CUkxmzSPmtkwhjnlxAo7GeBcN+Dk0
ic8MiCFTr/WFCsI3taVcRdkOPDlEhGMvoSPDGkx4hlMMXWrBIF2SwqMBi9k3wl5y
nl5hxmCd8WnSTsWHdx5T6Ki+iblYUIus7x475mrzTdfZwoGX3+yacjCsgUwxjAvO
OnEMJN1p36UGzgEk7cZ/rKPqFGcxvTt+IBrrtFH8Kdiz
-----END ENCRYPTED PRIVATE KEY-----
```

## Expected results:
files can be processed just like other PKCS#12 files in the set

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/723
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190305/ad106ef9/attachment-0001.html>

More information about the Gnutls-devel mailing list