Dear Nils,
Given the error message in the subject line above, the step to reproduce
may be to pass 32 instead of 64 to the openssl command that makes the
test certificate.
Otherwise, look for a command that can dump out the formatting details
of the (non-distributable) problematic pkcs12 file to see what values it
actually uses.
On 2024-09-20 12:02, Nils Schween wrote:
Given the brittleness of pkcs#12/minip12.c I would really appricate to
have a sample file. But the worst thing which could happen is that the
64 bit salt does not work anymore in the future. It is unlikey, though.
I do understand. I tried to create one this morning, but I was not able
to reproduce the error when importing my self created certificate.
I used the following commands to create the certificate:
openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -sha384 -days 365
-out certificate.pem
openssl pkcs12 -inkey key.pem -in certificate.pem -export -macsaltlen 64 -iter
20000 -out certificate.p12
To compare my own certificate with the one issued by the certificate
provider I used the following two commands:
openssl pkcs12 -in certificate.p12 -noout -info
openssl x509 -text -noout -in certificate.p12
I could not find any significant difference in the output. Though the
one from the certificate provider causes the error when imported with
gpgsm while my own certificate does not.
Since I am not very knowledgeable when it comes to S/MIME certificates,
it is riddle to me why the error appears: My certificate and the one
from the provider have a salt length of 64bit and that was the only
thing I changed in minip12.c
So, I have to say that I am sorry, I cannot reproduce the error with a
self-created certificate.
Please give me some days to apply the patch.
No hurry, for now I have a personal work around.
Thank you,
Nils
Werner Koch <w...@gnupg.org> writes:
On Thu, 19 Sep 2024 13:42, Nils Schween said:
If it is necessary, I can try to create a certificate with openssl, that
reproduces the error.
Given the brittleness of pkcs#12/minip12.c I would really appricate to
have a sample file. But the worst thing which could happen is that the
64 bit salt does not work anymore in the future. It is unlikey, though.
Please give me some days to apply the patch.
Salam-Shalom,
Werner
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
