Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1250020
| Summary: | gnutls_x509_privkey_import can no longer import some private keys | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Berrangé <berrange> | ||||
| Component: | gnutls | Assignee: | Nikos Mavrogiannopoulos <nmavrogi> | ||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 23 | CC: | nmavrogi, tmraz | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 3.4.4-1.fc23 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-09-01 03:37:18 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1059045 [details]
Demo program
Thanks. I've committed a fix upstream. https://gitlab.com/gnutls/gnutls/commit/3573c516a1cf1adc0df3b4caaeec64f55753016d gnutls-3.4.4-1.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/gnutls-3.4.4-1.fc23 Package gnutls-3.4.4-1.fc23: * should fix your issue, * was pushed to the Fedora 23 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gnutls-3.4.4-1.fc23' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-13287/gnutls-3.4.4-1.fc23 then log in and leave karma (feedback). gnutls-3.4.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: The gnutls_x509_privkey_import method is no longer able to load private keys with a starting signature of: -----BEGIN PRIVATE KEY----- It can only load keys which mention an explicit algorithm The gnutls_x509_privkey_import2 method succeeds, which is why certtool --infile blah -k does not show any problem The problem appears to have been caused by this commit in 3.4.3: commit 0debaca946b74c66e67ed1a86c671ec3573b779a Author: Nikos Mavrogiannopoulos <nmav> Date: Thu Jun 25 15:08:54 2015 +0200 gnutls_x509_privkey_import: optimized private key loading Originlly the result would get set to GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR But now it gets set to GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; As a result, when the code jumsp to the 'failover' label it no longer triggers the PKCS#8 fallback path failover: /* Try PKCS #8 */ if (result == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { _gnutls_debug_log ("Falling back to PKCS #8 key decoding\n"); result = gnutls_x509_privkey_import_pkcs8(key, data, format, NULL, GNUTLS_PKCS_PLAIN); } This regression is breaking the libvirt test suite which uses the import method. Version-Release number of selected component (if applicable): 3.4.3 How reproducible: Always Steps to Reproduce: 1. Save attached demo to priv.c 2.gcc `pkg-config --cflags --libs gnutls` -o priv priv.c 3. ./priv Actual results: Failed to import key The requested data were not available. Aborted (core dumped) Expected results: Loads the private key Additional info: