Simon Josefsson <[email protected]> writes: > "Kukosa, Tomas" <[email protected]> writes: > >> Hi, >> >> I have recived PKCS#12 file created with OpenSSL 0.9.7e which I can not >> read in GnuTLS 2.7.12 but I still can read it in any OpenSSL. > > Hi! Interesting report, I'm debugging it now. > >> BTW 0,8% is near to 1/128 or to 1/120 but it could be just random :-) > > This suggests some parsing problem, maybe in the PKCS#12 string2key > function. The 3DES keys for three of the four PEM's happened to start > with 00. The fourth PEM didn't start with 00, but the IV is also > derived using the string2key function, so maybe there is a similar > problem there. Could be some DES parity bit issue as well. > > I'll instrument openssl to print the decryption keys it compute, if > there is a mismatch I've confirmed the theory.
Indeed, the outputs from the PKCS#12 string2key functions differs (for the same inputs) between GnuTLS and OpenSSL in some corner cases. I wonder which is standards compliant, there seems to be no PKCS#12 test vectors around. I suggest you use a more modern string2key algorithm than PKCS#12. ;) We should fix this, though. Thanks for reporting this with sufficient information to reproduce it. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
