Lee Chuk Munn -Sun Service wrote:
>
> Hi, I've got the following question; what is the difference between the PKCS12 cert
>generated
> by "openssl pkcs12 -export" and one exported by Netscape (4.7). I did the following:
>
> 1. Exported a .p12 cert using "openssl pkcs12 -export"
> 2. Import it into Netscape
> 3. Reexport the same cert.
>
> I noticed that the size of both the files are different. I did a "openssl pkcs12
>-info ...";
> 1. Native openssl has the following
>
> Enter Import Password:
> MAC Iteration 1
> MAC verified OK
> PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
> Certificate bag
> Certificate bag
> PKCS7 Data
> Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
> Enter PEM pass phrase:
> Verifying password - Enter PEM pass phrase:
>
> 2. Netscape reexported:
>
> Enter Import Password:
> MAC Iteration 1
> MAC verified OK
> PKCS7 Data
> Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1
> Enter PEM pass phrase:
> Verifying password - Enter PEM pass phrase:
> PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1
> Certificate bag
> Certificate bag
>
> Does netscape "reformats" the cert. Please email to me directly as I'm not in this
>alias.
>
Netscape takes the input PKCS#12 file and stores it in its internal
database. When it exports it again it recreates the file from scratch.
Some versions of Netscape use a horribly inefficient form of indefinite
length encoding for PKCS#12 (which accounts for the larger file size)
and no iteration counts on keys or macs.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
