Mailing List Archive: PKCS#12 password length limit in sm/minip12.c

PKCS#12 password length limit in sm/minip12.c

Nov 7, 2021, 5:10 AM

Post #1 of 4 (448 views)

Hello, everyone

Currently, GnuPG cannot import PKCS#12 files protected with passwords
longer than 31 bytes, giving a long series of error messages while
trying to interpret the given password with all implemented character
sets.

Before I file a bug report: Is there any good reason for limiting the
password length for PKCS#12 files to 63/2 = 31 bytes in line 354 of
"sm/minip12.c"?

Neither in the comments nor in the code below I can find any reason for
a limit smaller than 63 bytes, and other software like OpenSSL allows
for even longer passwords.

Should there be no such reason, I'd suggest to modify the limit in line
354 of "sm/minip12.c". I did not test it, but as far as I can see, the
rest of the code can handle up to 63 bytes, so this might be a
reasonable limit forced by the current implementation.

Best regards
--
Rainer Perske
Systemdienste + Leiter der Zertifizierungsstelle (WWUCA)
--
Westf?lische Wilhelms-Universit?t (WWU) M?nster
WWU IT
Rainer Perske, Systemdienste
R?ntgenstra?e 7-13, Raum 006
48149 M?nster
Tel.: +49 251 83-31582
E-Mail: rainer.perske@uni-muenster.de
Website: www.uni-muenster.de/it

Zertifizierungsstelle (WWUCA):
Tel.: +49 251 83-31590
E-Mail: ca@uni-muenster.de
WWW: www.uni-muenster.de/wwuca

Re: PKCS#12 password length limit in sm/minip12.c [ In reply to ]

gnupg-devel at gnupg

Nov 8, 2021, 11:31 PM

Post #2 of 4 (448 views)

Permalink

On Sun, 7 Nov 2021 14:10, Rainer Perske said:

> Before I file a bug report: Is there any good reason for limiting the
> password length for PKCS#12 files to 63/2 = 31 bytes in line 354 of
> "sm/minip12.c"?

Sorry, I can't remember why I write it this way 18 years ago. Maybe we
had different specs back then or the limit was a shortcut to not
implement the whole thing. But in the latter case there should have
been a note in the code.

To tell more, I would need to revisit the specs.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Re: PKCS#12 password length limit in sm/minip12.c [ In reply to ]

rainer.perske at uni-muenster

Nov 9, 2021, 1:21 AM

Post #3 of 4 (448 views)

Permalink

Hello,

> > Before I file a bug report: Is there any good reason for limiting the
> > password length for PKCS#12 files to 63/2 = 31 bytes in line 354 of
> > "sm/minip12.c"?

> Sorry, I can't remember why I write it this way 18 years ago. Maybe we
> had different specs back then or the limit was a shortcut to not
> implement the whole thing. But in the latter case there should have
> been a note in the code.

thank you so far!

> To tell more, I would need to revisit the specs.

Two of our users hit the limit, this is why this problem popped up.

I know that you are busy with more urgent problems but I'd be glad if
you could put it on your to-do list :-)

Beste Gr??e und Herzlichen Dank aus M?nster
--
Rainer Perske
Systemdienste + Leiter der Zertifizierungsstelle (WWUCA)
--
Westf?lische Wilhelms-Universit?t (WWU) M?nster
WWU IT
Rainer Perske, Systemdienste
R?ntgenstra?e 7-13, Raum 006
48149 M?nster
Tel.: +49 251 83-31582
E-Mail: rainer.perske@uni-muenster.de
Website: www.uni-muenster.de/it

Zertifizierungsstelle (WWUCA):
Tel.: +49 251 83-31590
E-Mail: ca@uni-muenster.de
WWW: www.uni-muenster.de/wwuca

Re: PKCS#12 password length limit in sm/minip12.c [ In reply to ]

bernhard at intevation

Nov 17, 2021, 5:45 AM

Post #4 of 4 (447 views)

Permalink

Hello Rainer,

Am Dienstag 09 November 2021 10:21:40 schrieb Rainer Perske:
> > > Before I file a bug report: Is there any good reason for limiting the
> > > password length for PKCS#12 files to 63/2 = 31 bytes in line 354 of
> > > "sm/minip12.c"?

> I'd be glad if you could put it on your to-do list :-)

usually it is helpful if you actually open a task on dev.gnupg.org
and link or quote helpful information.
For example the latest RKCS#12 specs section that deals with it or so.
This helps Werner and other devs to be fast when they have timeslot
to work on the issue in the future.

Patches are also welcome, but would need to have a DCO.

BTW: https://wiki.gnupg.org/X.509
also has a remark and a workaround that seem to be related.
Maybe you can add a link to the new issue there.

Best Regards,
Bernhard

--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Mailing List Archive

Attached Files:

Attached Files:

Attached Files:

Attached Files: