[PATCH 0/3] Handle unencrypted certificates

Kevin Cernekee cernekee at gmail.com
Mon Mar 31 23:09:13 EDT 2014


This fixes one case in which an unencrypted private key file was not
recognized at all, and two cases where an unnecessary password prompt
showed up and forced the user to submit an empty password to proceed.

As a side effect of harmonizing the OpenSSL and GnuTLS
load_pkcs12_certificate password loops, OpenSSL builds are less noisy
than before when reporting bad PKCS#12 passwords.  I can change this
back if it is a problem.

I still see a minor inconsistency between PEM and PKCS#12 handling
on OpenSSL.  Not sure if it's worth fixing:


1) PEM cert requires a password, but the user just hits enter and
is_pem_password_error() gives up:

Using client certificate '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=somegroup/CN=test'
Enter PEM pass phrase:
140006881695456:error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read:pem_pkey.c:109:
Loading private key failed (see above errors)
Loading certificate failed. Aborting.
Failed to open HTTPS connection to asa
<aborts>

2) PEM cert requires a password, but the user enters the wrong password so
OpenSSL keeps asking:

Using client certificate '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/OU=somegroup/CN=test'
Enter PEM pass phrase:
139850861938400:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
Loading private key failed (wrong passphrase?)
Enter PEM pass phrase:
139850861938400:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
Loading private key failed (wrong passphrase?)
Enter PEM pass phrase:
139850861938400:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
Loading private key failed (wrong passphrase?)
Enter PEM pass phrase:
<keeps prompting forever>

3) PKCS#12 cert requires a password; user hits enter OR types the wrong
password.  OpenSSL keeps asking:

Enter PKCS#12 pass phrase:
Failed to decrypt PKCS#12 certificate file
Enter PKCS#12 pass phrase:
Failed to decrypt PKCS#12 certificate file
Enter PKCS#12 pass phrase:
Failed to decrypt PKCS#12 certificate file
Enter PKCS#12 pass phrase:
<keeps prompting forever>


Kevin Cernekee (3):
  gnutls: Handle empty (but not NULL) passwords on PKCS#12 certs
  openssl: Skip password prompt on unencrypted PKCS#12 files
  openssl: Support unencrypted PKCS#8 private keys

 gnutls.c  |   10 +++++++++-
 openssl.c |   24 +++++++++++++-----------
 2 files changed, 22 insertions(+), 12 deletions(-)

-- 
1.7.9.5




More information about the openconnect-devel mailing list