Re: pkcs#12 in openssl

Tue, 21 Nov 2006 22:37:34 -0800 

Hi Steve,
Thanks a lot for the reply.
Attached herewith are sample code, pkcs12 key store, and two sample self-signed certificates exported (x, y). Both were exported with password "1234" to the keystore "store.pfx". BTW, I don't really know about the local key ID attribute you mentioned. Is it the unique key to identify a key/cert pair in a key store? 
Besides there is no way to give such in the parse() function.
Giving the same password might appear as a rare case. But that doesn't mean it'll never happen. 
Cheers,
Kaushalye

Dr. Stephen Henson wrote:

On Tue, Nov 21, 2006, Kaushalye Kapuruge wrote:


Hi list,
I'm still waiting for an answer for above questions. I did this little experiment.
1. I created a pkcs#12 store and created two self signed certificates(say x and y). 
2. Both were exported "with the same password" to the store(y after x).
3. Then I wrote a program to extract these certificates from the key store.
4. The program uses d2i_PKCS12_bio() and PKCS12_parse(p12, pass, pkey, cert, ca) to load certificates.
Since we give only the password and the PKCS12 * to get the certificate and the pkey, it always returns the last certificate that we exported with the same password. So in this way if someone has exported a certificate with a password, that's being used before the latter certificate will override the former without any warnings. Is my conclusion valid? Or is there any other way to extract a certificate rather than PKCS12_parse? Moreover I expected that the method signature would take a fingerprint of a certificate but it is not. 



It isn't clear form your description which key corresponds to which
certificate. The PKCS12_parse() function will only retrieve a single matching
certificate and key pair based on the local key ID attribute.

Some PKCS#12 code adds local key ID to all certificates whether they have a
key or not. 
It isn't really possible to say what is going on without seeing a sample
PKCS#12 file or printing out the attributes with the pkcs12 utility.

You can manually parse a PKCS#12 file using the same technique as the pkcs12
utility but that is rather messy.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]




/* pkread.c */

#include <stdio.h>
#include <stdlib.h>
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/pkcs12.h>
#include <openssl/bio.h>
#include <openssl/rand.h>
#include <openssl/x509.h>
#include <string.h>
#include <openssl/evp.h>
/* Simple PKCS#12 file reader */

int main(int argc, char **argv)
{
	FILE *fp;
	EVP_PKEY *pkey;
	X509 *cert;
	STACK_OF(X509) *ca = NULL;
	PKCS12 *p12;
	int i;
    char issuer_name[256];
    char subject[256];
    X509_NAME *name = NULL;

	if (argc != 4) {
		fprintf(stderr, "Usage: pkread p12file password opfile\n");
		exit (1);
	}
	SSLeay_add_all_algorithms();
	ERR_load_crypto_strings();
	if (!(fp = fopen(argv[1], "rb"))) {
		fprintf(stderr, "Error opening file %s\n", argv[1]);
		exit(1);
	}
	p12 = d2i_PKCS12_fp(fp, NULL);
	fclose (fp);
	if (!p12) {
		fprintf(stderr, "Error reading PKCS#12 file\n");
		ERR_print_errors_fp(stderr);
		exit (1);
	}
	if (!PKCS12_parse(p12, argv[2], &pkey, &cert, &ca)) {
		fprintf(stderr, "Error parsing PKCS#12 file\n");
		ERR_print_errors_fp(stderr);
		exit (1);
	}
	PKCS12_free(p12);
	if (!(fp = fopen(argv[3], "w"))) {
		fprintf(stderr, "Error opening file %s\n", argv[1]);
		exit(1);
	}
	if (pkey) {
		fprintf(fp, "***Private Key***\n");
		PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL);
	}
	if (cert) {
		fprintf(fp, "***User Certificate***\n");
		PEM_write_X509_AUX(fp, cert);
	}

    X509_NAME_oneline(X509_get_issuer_name(cert), issuer_name, sizeof(issuer_name));
    X509_NAME_oneline(X509_get_subject_name(cert), subject, sizeof (subject));

    if(issuer_name)
        printf("Issuer Name : %s\n",issuer_name);
    if(subject)
        printf("Subject : %s\n",subject);
    
    ASN1_INTEGER *ai = X509_get_serialNumber(cert);
    char *rep=NULL;
    if(ai)
    { 
        rep = (char*)i2s_ASN1_INTEGER(NULL, ai);
        printf("Serial Number :%s\n",rep);
    }
    if (ca && sk_num(ca)) {
	fprintf(fp, "***Other Certificates***\n");
	for (i = 0; i < sk_X509_num(ca); i++) 
	    PEM_write_X509_AUX(fp, sk_X509_value(ca, i));
	}
	fclose(fp);
	return 0;
}

Attachment: store.pfx
Description: Binary data

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCjPc/SD37tpra+aIczJLXLx02uBB2LWsOARCDpdMfqsEZGN/c5
9dQRcmcR2sodCA//Ty8f6Upy1yp8qBW1j+yFZS0Tq+fEOn70UaVrQyhNYZM5SxSl
Sx0+5r8ynYdUVVavz4/S8gbBd7uRHL41djr7jH5Vj9fdKAEXndEjuYf1uQIDAQAB
AoGAAhotrvrcG5tmBxW5iAMVBEbQzUjoSH8mvWQjOF50pKUYgpb97BUqYf8jLKuw
pqcP7a3LYZHTj58NwQU5Ill0Jk5eruQ5mX2ElZ3uKqJOaUjFjExRbIUw+EadHjT5
0dEmaIwLWQMSBtXgy86lqPcgia0ejkpC0oHBXx7okJ+iH8ECQQDS2ISmG0PqV8A6
Byu73HxFBVAg+WPXcYuiBzuvDfOxX/+7iImrXvX6Atm1Cj5+4ZXF73BvifXoSrya
0VZmtZptAkEAxjNq9KoCZpNya2ZEPPg5s1qhA/kHoolIoIEeVZgTTcDKBrbj11OA
TBbXHnY0mq9Ly1dDg3R+u4C0tXH9y1C4/QJAFAOji9T4vGz5/Ugi+aEzVqXrdkXW
GWRY2deP7c0IPeUb9GRAlTjdZo8QtWO0jPzC59gTtzLEWfmGL7gBWJySfQJAAX87
7JMoJ3wvng4Mr+U0El2535zO6PRefw/amcznQGwXWouhFuxDiM+XWlyMMyrlyKhl
EyYbGvFy6/frcdCvRQJBAMpik26L2/8aOJa5o1GK3V4UmyPkB1uJGHJMnDGGDQ1V
QnKgvbGGqds21CneC7PwubluzQJHfOuek4BNWMSqEts=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDhDCCAu2gAwIBAgIJAKWv/y9SMBghMA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD
VQQGEwJsazEQMA4GA1UECBMHd2VzdGVybjEQMA4GA1UEBxMHY29sb21ibzENMAsG
A1UEChMEd3NvMjEPMA0GA1UECxMGYXhpczJjMRUwEwYDVQQDEwx3d3cud3NvMi5j
b20xHzAdBgkqhkiG9w0BCQEWEG1hbmp1bGFAd3NvMi5jb20wHhcNMDYxMTIyMDYx
MTA1WhcNMDcxMTIyMDYxMTA1WjCBiTELMAkGA1UEBhMCbGsxEDAOBgNVBAgTB3dl
c3Rlcm4xEDAOBgNVBAcTB2NvbG9tYm8xDTALBgNVBAoTBHdzbzIxDzANBgNVBAsT
BmF4aXMyYzEVMBMGA1UEAxMMd3d3LndzbzIuY29tMR8wHQYJKoZIhvcNAQkBFhBt
YW5qdWxhQHdzbzIuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjPc/S
D37tpra+aIczJLXLx02uBB2LWsOARCDpdMfqsEZGN/c59dQRcmcR2sodCA//Ty8f
6Upy1yp8qBW1j+yFZS0Tq+fEOn70UaVrQyhNYZM5SxSlSx0+5r8ynYdUVVavz4/S
8gbBd7uRHL41djr7jH5Vj9fdKAEXndEjuYf1uQIDAQABo4HxMIHuMB0GA1UdDgQW
BBRY4j72ymXiUD3rvVRZXeAkqZhLGDCBvgYDVR0jBIG2MIGzgBRY4j72ymXiUD3r
vVRZXeAkqZhLGKGBj6SBjDCBiTELMAkGA1UEBhMCbGsxEDAOBgNVBAgTB3dlc3Rl
cm4xEDAOBgNVBAcTB2NvbG9tYm8xDTALBgNVBAoTBHdzbzIxDzANBgNVBAsTBmF4
aXMyYzEVMBMGA1UEAxMMd3d3LndzbzIuY29tMR8wHQYJKoZIhvcNAQkBFhBtYW5q
dWxhQHdzbzIuY29tggkApa//L1IwGCEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQUFAAOBgQCIEoxoSIk3ad8jj5Yga3l2CJhloMqcz8Jp2gPM873vJV4OP0NCcRct
6fgvxtw3GqWoMOxbsMvpA3khu+K1w796r8gogm5MSJ+vpKHMsyQGZgKypUUoSmin
NMYk+6ImIWulcYTjoHK4SyRoL1ERuhZU+u+EpR4ybDzq93VZdLqThw==
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC5mcl0eBuFyGExljIxI8xPHZyTjaSviEGfW8AporRkJV0S0zSY
vnV7ECo7Wr0WXU1VJtDwGRV6Nq4rQlqUX1e793imOw8TojpHinOHPd/R9mZMUPsE
MP20AuU+DGr7OhR4Y4aC+/r68MZ7POQD3pHvfZ6tyCTcy/a5tThlCKLI9wIDAQAB
AoGALvf9JE1U4blA53SUBR2DEa5ztl+NAqLfwH1OlvrG3eUata3fTJw+TMNdfKHM
4kEAVgE5tNkUN1ZpIydqlsu9/rNhKOphbVrNkATU+WpMy1oNw2jq3EWG32t2Pb64
cQ3kqJEsJDIcKNT/3QCFNTVKcjNeQbdotSjKyJJ0xsXrgeECQQD08P3IxJTwFSmW
4gg5ZnFvtFHK0MBtcRu5Djef92RQKHPRHaBLTfv2e8hXmTi/A95xo0qTvZNlTFES
eJQgF95HAkEAwfrxM6HpNrEq0ZRFUJl1Knsg7tCE3YpjboE7C1fTA9POxBIV0xOJ
K6Trid0YudbmVtpqaxXa38o7PF/xGKqn0QJAXL26eX/lHJoGqzheAM3G+ZJ+vZoY
odeHtaOqcAkNlEQcxfq/rIOUeRkZHAHJuJlQahp3rETFQD+LGsFI5HXlFQJBAJnG
BcnJk6ggoHIN2TkAveoUO9I1iO5a02H5nkXqtEP3d5TlRVnTxczMa1AZ7oz7+BNo
CC6l36HCnlzJLcZBGtECQQDC6PTOIFYK7ts0nygnr4ou60he5NjkCBYh5J9GoHyn
KrQfuyWVHKbq6NNjI4LthU/9wqGKtAgtN2J3dIBNIiGv
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDijCCAvOgAwIBAgIJANY/lc6DtcOTMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
VQQGEwJ1czETMBEGA1UECBMKY2FsaWZvcm5pYTEQMA4GA1UEBxMHY2hpY2FnbzEN
MAsGA1UEChMEd3NvMjESMBAGA1UECxMJYXhpczJqYXZhMRUwEwYDVQQDEwx3d3cu
d3NvMi5jb20xGzAZBgkqhkiG9w0BCQEWDGthdUB3c28yLmNvbTAeFw0wNjExMjIw
NjEyNDZaFw0wNzExMjIwNjEyNDZaMIGLMQswCQYDVQQGEwJ1czETMBEGA1UECBMK
Y2FsaWZvcm5pYTEQMA4GA1UEBxMHY2hpY2FnbzENMAsGA1UEChMEd3NvMjESMBAG
A1UECxMJYXhpczJqYXZhMRUwEwYDVQQDEwx3d3cud3NvMi5jb20xGzAZBgkqhkiG
9w0BCQEWDGthdUB3c28yLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
uZnJdHgbhchhMZYyMSPMTx2ck42kr4hBn1vAKaK0ZCVdEtM0mL51exAqO1q9Fl1N
VSbQ8BkVejauK0JalF9Xu/d4pjsPE6I6R4pzhz3f0fZmTFD7BDD9tALlPgxq+zoU
eGOGgvv6+vDGezzkA96R732ercgk3Mv2ubU4ZQiiyPcCAwEAAaOB8zCB8DAdBgNV
HQ4EFgQUAILjmOeGblpY6SV2bPGVGNpW9AowgcAGA1UdIwSBuDCBtYAUAILjmOeG
blpY6SV2bPGVGNpW9AqhgZGkgY4wgYsxCzAJBgNVBAYTAnVzMRMwEQYDVQQIEwpj
YWxpZm9ybmlhMRAwDgYDVQQHEwdjaGljYWdvMQ0wCwYDVQQKEwR3c28yMRIwEAYD
VQQLEwlheGlzMmphdmExFTATBgNVBAMTDHd3dy53c28yLmNvbTEbMBkGCSqGSIb3
DQEJARYMa2F1QHdzbzIuY29tggkA1j+VzoO1w5MwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQUFAAOBgQCdk3Pabw8XwJjKnO8k2XrdFhdGRlAS7OPeFwIgBwEM12I3
upERYm2wyVP8o4f8TpFLh25ML5MS6+qdHMZhca1k2I+PnTchqOkc7qPMl8fgwn+G
TAMIu+wMswJ36sYVlo06d+a0W7p6yAHZFiGXPO/IFOmiLF2gZc/eyqYtHGK3dw==
-----END CERTIFICATE-----

Reply via email to