On Tuesday 28 June 2016 02:59:18 chrisr wrote: > Hi, > > I'm trying to import an EC key and cert generated with openssl into an NSS > DB but am getting this error from pk12util: > pk12util: PKCS12 decode import bags failed: > SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import. Error attempting > to import private key. > > I've tested this on Gentoo x86 with nss versions 3.23(portage), > 3.24(portage) and 3.25 (from source) with the same result. Changing the key > type to RSA works so I wonder if this might be bug in the EC key handling? > > Steps to reproduce: > # Create an empty NSS db > mkdir nss > openssl rand -base64 -out nss/pw 21 > certutil -d nss -f nss/pw -N > # Generate an EC key/cert > openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp521r1 -keyout > key.pem -out cert.pem -days 3650 -nodes -subj "/CN=Test CA" > # Export to pkcs12 format > openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.p12 -name Test > # Import to nss db > pk12util -i cert.p12 -d nss -k nss/pw > # pk12util reports error
Using nss 3.23.0 and openssl 1.0.1 on Fedora with slightly different commands, I can't reproduce it: mkdir nssdb certutil -N --empty-password -d sql:nssdb/ openssl ecparam -out secp521r1.pem -name secp521r1 openssl req -x509 -newkey ec:secp521r1.pem -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch openssl pkcs12 -export -passout pass: -out localhost.p12 -inkey localhost.key -in localhost.crt pk12util -i localhost.p12 -d sql:nssdb/ -W '' certutil -L -d sql:nssdb/ -n localhost -a | openssl x509 -noout -text so it doesn't look to me like a problem with EC keys specifically which version of OpenSSL are you using? -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
