severity 522281 wishlist
thanks
Matthew King matthew.k...@monnsta.net writes:
Package: gnutls-bin
Version: 2.4.2-6+lenny1
If you attempt to use a pkcs8 private key with a template file, and that
template file does not specify the passphrase, certtool exits with an
error:
certtool: importing --load-privkey: ca-key.pem: Decryption has failed.
I am not sure which is worse - putting the passphrase in the template
file or asking questions in batch mode, but the patch to allow the
latter is simple:
--- src/certtool-cfg.c~ 2008-09-15 21:04:19.0 +0100
+++ src/certtool-cfg.c 2009-04-02 11:40:57.0 +0100
@@ -301,7 +301,7 @@
const char *
get_pass (void)
{
- if (batch)
+ if (batch !(cfg.password == NULL || *cfg.password == '\0'))
return cfg.password;
else
return getpass (Enter password: );
Thanks for the report, and sorry for long delay in responding.
I believe an error message in this situation is reasonable: the reason
for the template mode is to avoid interactive questions. It would be
wrong to ask questions for missing data in a template.
Specifying a password in a template file is a security concern, but
other files on Unix systems contains passwords and private keys so it is
a well understood problem. It is possible to protect these files using
a restricted file mode.
Possibly the if clause could be extended so that an option can be added
to specify that the batch process really is non-interactive (or,
alternatively, that the batch process can be interrupted to ask for the
passphrase if necessary).
I think that would be complex, but I don't rule it out completely.
I'm changing the severity of this bug to wishlist, for future pondering
whether something like that can be implemented.
/Simon
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org