Bug 657247 – Support encrypted PEM key files in GTlsCertificate

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 657247 - Support encrypted PEM key files in GTlsCertificate


Summary:	Support encrypted PEM key files in GTlsCertificate


Status:	RESOLVED OBSOLETE

Product:	glib
Classification:	Platform
Component:	network
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal enhancement
Target Milestone:	---
Assigned To:	gtkdev
QA Contact:	gtkdev

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2011-08-24 14:05 UTC by Stef Walter
Modified:	2018-05-29 06:45 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Stef Walter 2011-08-24 14:05:04 UTC

And use g_tls_interaction_ask_password() to prompt for their password when needed.

Need to look at how this would be done in the gnutls backend.

Comment 1 Stef Walter 2011-08-24 14:22:45 UTC

It turns out that gnutls doesn't support the specific encrypted format that openssl uses (which nobody else really supports).

So we would need to use PKCS#8, which is the standard anyway (and gnutls uses that). We should support both the encrypted and non-encrypted PKCS#8.

Looking this over quickly. Here's what this would involve in glib:

 * Extending parse_private_key() in gtlscertificate.c to detect the new PEM 
   header(s) as a valid private key type. 

And here's what it would involve in glib-networking:

 * Change g_tls_certificate_gnutls_get_key(), to accept a GTlsInteraction and
   be able to return an error.
 * Changing around GTlsCertificateGnutls so it doesn't try to import the
   key into gnutls until the key is asked for via 
   g_tls_certificate_gnutls_get_key()
 * In g_tls_certificate_gnutls_get_key() use the GTlsInteraction ask_password()
   to prompt for a password if it's an encrypted key, and pass that password
   to gnutls_x509_privkey_import_pkcs8()

Hmmm, but it looks like there is a showstopper. Unlike libgcr's GcrParser which automatically detects the format, gnutls_x509_privkey_import_pkcs8() wants the exact encryption format of the key. This makes it pretty much unusable. Groan...

I'll have to think about this some more.

Maybe the best solution is just to use the PKCS#11 database for anything but the simplest of use cases (ie: which would be the current unencrypted keys).

Comment 2 Dan Winship 2011-08-24 15:23:44 UTC

(In reply to comment #1)
> So we would need to use PKCS#8, which is the standard anyway (and gnutls uses
> that). We should support both the encrypted and non-encrypted PKCS#8.

PKCS is good. Might want PKCS#12 support at some point too.

> Hmmm, but it looks like there is a showstopper. Unlike libgcr's GcrParser which
> automatically detects the format, gnutls_x509_privkey_import_pkcs8() wants the
> exact encryption format of the key. This makes it pretty much unusable.

Well, you can just try parsing it with each format until you don't get back a "can't parse" error?

> Maybe the best solution is just to use the PKCS#11 database for anything but
> the simplest of use cases (ie: which would be the current unencrypted keys).

Random (possibly dumb) thought: could you import PKCS#8/12 files as GTlsDatabases instead of as GTlsCertificates?

Comment 3 Stef Walter 2011-08-25 13:14:12 UTC

(In reply to comment #2)
> > Maybe the best solution is just to use the PKCS#11 database for anything but
> > the simplest of use cases (ie: which would be the current unencrypted keys).
> 
> Random (possibly dumb) thought: could you import PKCS#8/12 files as
> GTlsDatabases instead of as GTlsCertificates?

Yes, that might be possible. I've actually been tossing around the idea of a  simple PKCS#11 module that exposes multiple PKCS#8/#12/PEM files as different slots. But a GTlsDatabase might work well too. In fact we could extend GTlsFileDatabase with support for loading files other than the anchors.

Comment 4 Dan Winship 2011-11-19 01:33:29 UTC

We now at least support unencrypted PKCS#8 keys (bug 664321)

Comment 5 David Woodhouse 2015-06-04 12:19:00 UTC

I think GnuTLS does now support the OpenSSL encrypted format. If not, it's certainly handled by import_openssl_pem() in OpenConnect's openssl.c.

Comment 6 David Woodhouse 2015-06-04 12:20:08 UTC

Er, in OpenConnect's gnutls.c I mean: http://git.infradead.org/users/dwmw2/openconnect.git/blob/35542d52:/gnutls.c#l711

Comment 7 GNOME Infrastructure Team 2018-05-24 13:19:05 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/glib/issues/441.

Comment 8 Michael Catanzaro 2018-05-25 16:36:28 UTC

Reopening. This bug was migrated to https://gitlab.gnome.org/GNOME/glib, but it should have been migrated to https://gitlab.gnome.org/GNOME/glib-networking.

Comment 9 Christoph Reiter (lazka) 2018-05-29 06:45:18 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/glib-networking/issues/29.