[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Compatibility of client PKCS#12 files

From: Paul Cuthbert <paul.cuthbert_at_gmail.com>
Date: Tue, 8 Jul 2008 12:03:15 +1000

All,

Subversion 1.5.0 (and probably earlier) is unable to handle client
PKCS#12 files that are generated using the Bouncy Castle cryptographic
toolkit (Java version 139, see http://www.bouncycastle.org/latest_releases.html)
. These P12 files can be handled fine by Microsoft CAPI, Firefox and
OS-X Keychain.

The svn client goes into a loop of prompting for the client PKCS#12
file password that it never breaks out of:

Passphrase for '/Users/paul/Desktop/TestUser.p12':
Passphrase for '/Users/paul/Desktop/TestUser.p12':
Passphrase for '/Users/paul/Desktop/TestUser.p12':

The issue exists using svn 1.5.0 on OS-X 10.5 (installed using Darwin
ports) and tortoisesvn.tigris.org 1.5 on Windows XP.

If the P12 file is imported into another keystore (Firefox, OS-X or
CAPI) and subsequently exported then svn can use the P12 file fine.
The issue is therefore an incompatibility between svn and bouncy
castle, and may not strictly be a bug according to the PKCS#12 spec.
The fact that the other key stores can parse the P12 fine though
suggests that svn should be made more flexible in handling P12 formats.

An example P12 file is attached, with certificate. The password is
'password'. To reproduce this issue, use this P12 to try and access
any svn repository with client SSL enabled. You do not need to set up
CA certificates, etc. because the issue occurs when svn tries to parse
the P12.

Cheers,
Paul.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org

Received on 2008-07-08 19:41:17 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.