Re: pkcs12 with frienlyNames seems to be erroneous

Wed, 02 Sep 2009 04:42:49 -0700 

On Tue, Sep 01, 2009, Willy Weisz wrote:

> Being unable to using a PKCS#12 file created by openSSL with 3 different
> applications - Java jarsigner, Firefox/Thunderbird and KeyStoreBuilder
> of the package "not-yet-commons-ssl"
> <http://juliusdavies.ca/commons-ssl/> - I think that the problem may
> well be attributed to an error in the PKCS#12 file.
> 
> All 3 errors are due to the use of the "friendlyName" in the PKCS#12 file.
> Even so the Mozilla products don't explain why they don't accept the
> file contents, removing the friendlyName from the the p12 file makes it
> acceptable.
> The java utility jarsigner and KeyStorBuilder 0.3.9 issue the error message:
> "java.io.IOException: Attribute 1.2.840.113549.1.9.20.9.20 should have a
> value DerInputStream.getLength(): lengthTag=32, too big"
> 
> OID 1.2.840.113549.1.9.20 represents "PKCS-9 Attribute : friendlyName".
> 
> KeyStoreBuilder even tracks the error:
> 
> java.io.IOException: Attribute 1.2.840.113549.1.9.20 should have a value
> DerInputStream.getLength(): lengthTag=32, too big.
>         at
> sun.security.pkcs12.PKCS12KeyStore.loadSafeContents(PKCS12KeyStore.java:1426)
>         at
> sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1291)
>         at java.security.KeyStore.load(KeyStore.java:1201)
>         at
> org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450)
>         at
> org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:341)
>         at
> org.apache.commons.ssl.KeyStoreBuilder.build(KeyStoreBuilder.java:98)
>      at
> org.apache.commons.ssl.KeyStoreBuilder.main(KeyStoreBuilder.java:540)
> 
> Even so the problem may be attributed to the applications, I suspect
> that the fact that it happens with 3 applications rather points to an
> error in the PKCS#12 file.
> 

I have not had any issues with friendlyName attributes in PKCS#12 files. What
version of OpenSSL are you using?

That error suggests the friendlyName might be too long, have you tried a
smaller one?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to