[Help-gnutls] Re: gnutls_x509_privkey_export_pkcs8 failure with GNUTLS_PKCS_USE_PBES2_3DES

Florian Weimer fweimer at bfk.de
Thu Sep 6 14:09:26 CEST 2007

* Simon Josefsson:

>> With the GNUTLS_PKCS_USE_PKCS12_3DES flag, it works.  Is a special
>> format for the password required if the GNUTLS_PKCS_USE_PBES2_3DES
>> mode is used?
> No, I don't think so.  Maybe the PBES2 approach is buggy.  Could you
> debug further why it fails?

It seems to me that the enc_params argument to generate_key is not
properly initialized.  From the beginning of generate_key:

  /* We should use the flags here to use different
   * encryption algorithms etc. 

  if (schema == PKCS12_ARCFOUR_SHA1)
    enc_params->cipher = GNUTLS_CIPHER_ARCFOUR_128;
  else if (schema == PKCS12_3DES_SHA1)
    enc_params->cipher = GNUTLS_CIPHER_3DES_CBC;
  else if (schema == PKCS12_RC2_40_SHA1)
    enc_params->cipher = GNUTLS_CIPHER_RC2_40_CBC;

schema is PBES2 in this case, and enc_params has not been filled by
the caller.  valgrind complains as well:

==8411== Conditional jump or move depends on uninitialised value(s)
==8411==    at 0x479AB24: gnutls_cipher_get_key_size (gnutls_algorithms.c:739)
==8411==    by 0x47D3DDB: generate_key (privkey_pkcs8.c:1630)
==8411==    by 0x47D7114: gnutls_x509_privkey_export_pkcs8 (privkey_pkcs8.c:345)
==8411==    by 0x4763EE1: XS_Crypt__GNUTLS__X509Privkey_export_pkcs8 (GNUTLS.xs:1108)
==8411==    by 0x80BDAD0: Perl_pp_entersub (in /usr/bin/perl)
==8411==    by 0x80BC3A8: Perl_runops_standard (in /usr/bin/perl)
==8411==    by 0x8063A1A: perl_run (in /usr/bin/perl)
==8411==    by 0x805FFD0: main (in /usr/bin/perl)

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the Gnutls-help mailing list