Bug#522281: certtool does not ask for a key's passphrase if it is using a template

Matthew King matthew.king at monnsta.net
Thu Apr 2 10:49:58 UTC 2009


Package: gnutls-bin
Version: 2.4.2-6+lenny1

If you attempt to use a pkcs8 private key with a template file, and that
template file does not specify the passphrase, certtool exits with an
error:

certtool: importing --load-privkey: ca-key.pem: Decryption has failed.

I am not sure which is worse - putting the passphrase in the template
file or asking questions in batch mode, but the patch to allow the
latter is simple:

--- src/certtool-cfg.c~ 2008-09-15 21:04:19.000000000 +0100
+++ src/certtool-cfg.c  2009-04-02 11:40:57.000000000 +0100
@@ -301,7 +301,7 @@
 const char *
 get_pass (void)
 {
-  if (batch)
+  if (batch && !(cfg.password == NULL || *cfg.password == '\0'))
     return cfg.password;
   else
     return getpass ("Enter password: ");


Possibly the if clause could be extended so that an option can be added
to specify that the batch process really is non-interactive (or,
alternatively, that the batch process can be interrupted to ask for the
passphrase if necessary).

Matthew

-- 
I must take issue with the term "a mere child", for it has been my
invariable experience that the company of a mere child is infinitely
preferable to that of a mere adult.
                                           --  Fran Lebowitz





More information about the Pkg-gnutls-maint mailing list