Bug? Password-protected cert import - no interactive prompt

doka · December 27, 2023, 6:18pm

Hi, I’m using routeros 7.13 and found that it do not ask for password when importing password-protected certificates:

[admin@MICL] /> /certificate/import file-name=ttt.pem 
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 0
  keys-with-no-certificate: 0

while it works when specifying passphrase explicitly:

[admin@MICL] /> /certificate/import file-name=ttt.pem passphrase=foobar
     certificates-imported: 1
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

Is it bug or feature? If it’s feature - it’s pretty bad feature because printing password on the screen is a somewhat of a security compromise.

File ttt.pem generated in the following way:

export OPASS=foobar
openssl genrsa -aes192 -out ttt-key.pem -passout env:OPASS 2048
openssl req -new -config etc/client.conf -out ttt.csr -key ttt-key.pem -subj "/CN=ttt/O=ORG/OU=ORGU/"
openssl ca -config etc/signing-ca.conf -in ttt.csr -out ttt.crt -extensions client_ext
cat ttt.crt ttt-key.pem > ttt.pem

where openssl rsa -in ttt-key.pem asks for password.

Or I’m missing something and the PEM should be generated in other way to be imported with password prompt?

Thank you.

doka · December 27, 2023, 6:56pm

Yeah, I’m asking why RouterOS do not ask for password interactively if it’s omitted in command arguments

doka · December 27, 2023, 7:24pm

Sorry again, but I consider the need to specify the password as argument to the command as a security issue - in this case it can be visible to people who aren’t considered trusted. Accidentally but no matter. The old behavior - ask for password if it’s missing in command’s arguments - was a good practice.

doka · December 27, 2023, 9:16pm

It seems I don’t understand you. Passphrase required when you’re importing password-protected certificate into RouterOS. Like when you’re importing certificate into Azure keyvault, for example. You distribute certificate as password-protected and need to use it when you export this certificate into any certificate storage.

And when I need expose the password by typing it as a argument to the command, I need to turn my head left and right to make sure no one see typed on the screen password. That’s the only problem I’m talking about. In earlier versions of RouterOS it was asking interactively without echo if no password was provided. And I’d like to see this back.

mkx · December 28, 2023, 8:11am

Password is necessary to successfully import a certificate which contains password protected private key, no way around it. You’re suggesting to create private key file without password protection, but for someone as paranoid as to trip over possibility that somebody sees the command line just executed, the possibility to have passwordless private key is clearly a no-no. So while you don’t seem to bother about OP’s issue, I agree with OP: ROS should prompt for password if it encounters a password protected private key and password is not passed on command line.

Sob · December 28, 2023, 6:13pm

It’s really simple. Imagine that you have certificate with encrypted private key and you want to import it. Don’t think about why there’s password, perhaps you got it like that from someone else. It doesn’t matter. Don’t you think that RouterOS should be smart enough to ask for the password if you don’t specify it? Previous versions (v6) did.