severity 522281 wishlist
thanks
Matthew King <matthew.k...@monnsta.net> writes:
> Package: gnutls-bin
> Version: 2.4.2-6+lenny1
>
> If you attempt to use a pkcs8 private key with a template file, and that
> template file does not specify the passphrase, certtool exits with an
> error:
>
> certtool: importing --load-privkey: ca-key.pem: Decryption has failed.
>
> I am not sure which is worse - putting the passphrase in the template
> file or asking questions in batch mode, but the patch to allow the
> latter is simple:
>
> --- src/certtool-cfg.c~ 2008-09-15 21:04:19.000000000 +0100
> +++ src/certtool-cfg.c 2009-04-02 11:40:57.000000000 +0100
> @@ -301,7 +301,7 @@
> const char *
> get_pass (void)
> {
> - if (batch)
> + if (batch && !(cfg.password == NULL || *cfg.password == '\0'))
> return cfg.password;
> else
> return getpass ("Enter password: ");
Thanks for the report, and sorry for long delay in responding.
I believe an error message in this situation is reasonable: the reason
for the template mode is to avoid interactive questions. It would be
wrong to ask questions for missing data in a template.
Specifying a password in a template file is a security concern, but
other files on Unix systems contains passwords and private keys so it is
a well understood problem. It is possible to protect these files using
a restricted file mode.
> Possibly the if clause could be extended so that an option can be added
> to specify that the batch process really is non-interactive (or,
> alternatively, that the batch process can be interrupted to ask for the
> passphrase if necessary).
I think that would be complex, but I don't rule it out completely.
I'm changing the severity of this bug to wishlist, for future pondering
whether something like that can be implemented.
/Simon
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
