xca / Bugs / #46 Access to any database without password knowledge possible

#46 Access to any database without password knowledge possible

Status: closed

Owner: nobody

Labels: None

Priority: 5

Updated: 2007-09-06

Created: 2007-09-06

Creator: Transcendence

Private: No

Hello,

very interesting software.

Just one thing - Version 0.6.4 (Win) here on Win XP Pro:

It is possible to open and access *any* password protected database without knowing it's password by simply cancelling the password dialog.

Regards
T.

Discussion

Christian Hohnstaedt - 2007-09-06

Logged In: YES
user_id=609294
Originator: NO

...but try to export a private key.
It will fail as long as you cannot provide a password to decrypt the key.

(This is also mentioned in the documentation as intended behaviour)

Since in the database only the private keys are encrypted (3des with the default password),
the application shows everything you could see when opening the database with for example a hexeditor.

So this is a feature:
If you cancel the password dialog, you will be prompted for the password for every security related
operation like signing (creating) CSRs or certificates, importing or exporting private keys, creating revokation lists, etc.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Christian Hohnstaedt - 2007-09-06

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Transcendence - 2007-09-06

Logged In: YES
user_id=1884366
Originator: YES

Indeed, it is mentioned in the documentation and it works like you describe it. My fault - I simply overlooked that part.

Sorry and thanks for your explanation.

Regards
T.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: