I am not sure if you are using the following command. It parses the certs & keys.
#openssl pkcs12 -info -nodes -in <pkcs12 input file> Thanks -Ashok On Wed, Feb 17, 2010 at 9:33 AM, Nicolas Pelloux-Prayer <nicolaspellouxpra...@gmail.com> wrote: > I'm trying to extract the cert/private key pair from a pkcs#12 file using > the PKCS12_parse method. It works fine for most p12 I used before, then I > ran into a strange p12 which doesnt work (returned cert & pkey are both > NULL). > > Its structure is : > > > ********************************************************************************************************************* >>openssl pkcs12 -in "User.p12" -info > > Enter Import Password: > MAC Iteration 2000 > MAC verified OK > PKCS7 Data > Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000 > Bag Attributes > localKeyID: 01 00 00 00 > Key Attributes: <No Attributes> > > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: DES-EDE3-CBC,54F8D05BE328D3E7 > > n377+hfeUZS2[...] > -----END RSA PRIVATE KEY----- > Certificate bag > Bag Attributes > localKeyID: 01 00 00 00 > subject=/CN=User > User/SN=User/GN=User/L=Lyon/OU=Mobile/O=test/C=FR/emailaddress=u...@test.net > issuer=/CN=test/L=Paris/OU=NC/O=test/C=FR > -----BEGIN CERTIFICATE----- > MIIEGzCCAwO[...] > -----END CERTIFICATE----- > ********************************************************************************************************************* > > It seems to me that this p12 file could be broken, as i usually use p12 file > containing first a cert bag then a shrouded bag. This LocalKeyID seems > strange too, maybe it's the source of the problem ? > Import it in IE or firefox works fine though, so I tried to debug the inside > of PKCS12_parse to find where the parsing fails. > > As far as I understand it, the Bag order makes the asn1 parsing fail at a > point, some tests using "openssl asn1parse" command on a file containing the > certificate PEM block first then the private-key PEM block, the parsing > succeeds. When running the same command on a file containing the private-key > PEM block first then the certificate PEM block it fails (same order as in my > p12 file). These calls are logged below. > . > > I couldn't understand in the pkcs#12 norm if this order is wrong or not in > term of asn1 syntax so I wrote this little post :) . > > Could someone (in)-validate this analysis and eventually explain the whys > and hows of this issue please. > > Thanks in advance, > > Nicolas Pelloux-Prayer > > > ********************************************************************************************************************* >>openssl asn1parse -in keyfirst.pem -i -dump > > 0:d=0 hl=4 l=1189 cons: SEQUENCE > 4:d=1 hl=2 l= 1 prim: INTEGER :00 > 7:d=1 hl=4 l= 257 prim: INTEGER > :A3A4D74BE2BE77C4775260C1DEAFA4154067B61631A5F401A579FE338E83D487823 > BD19452C5D7DC68C4440F484798411DE81C4D6639855A54B3DCF0A9565C5454C4829D7AF95A1AEABF96E449D8A707447B0DCA5074FB467A3E272 > C51EBCA0DEB09529E6E99CF0BE9EC2553F0B076E7183E84F3609588CF2D0D15DA8B2DC67A652B8AC7A565ABFDFCDA0181264FBB59FBFCF15ED82 > 1ABB81785DBC08E5D00021AC50FE9FAE7FD3B475E729E18C4222EA2EDB9F > 268:d=1 hl=2 l= 3 prim: INTEGER :010001 > 273:d=1 hl=4 l= 256 prim: INTEGER > :3D6D8E67ED08A47ABA73D0E05590471EB71B774DA37B713A00FCE740413A195878B > 4F2EA239C22A899273B89250FC306868C6FBB5A293376B21F064BCCB51F5984AC737F5BFF2824BC8408C74F352595E3CDF162458B741B839DBB2 > AD20021607B0608E56091D26B95B8C62658757F9D57113D186AC72CC6422EDA3A5872B47E0F3B219900F37E8706908014F8CB2DFC6F24BE932BA > FD04218FB5BD6A0B6693925B25D0B165BA493E5913D53092645578892429 > 533:d=1 hl=3 l= 129 prim: INTEGER > :E773A7413DEE5B82C3E4468A13D2C30D8303091CA73F2DF455DE3420C57E58A809F > C9192DDD46333A1D3614CEDAF29326EF1CF062F4377E89278A8F3E984A9B323E56D8AE2D87EA76D698D04B9B2E78DE51208A6B44EB4FB9029C99 > 665:d=1 hl=3 l= 129 prim: INTEGER > :B50013F4A1D44EE350073A32BB7E616981EA22085EEF237FBCA6C4A86B8D61A1B50 > FBD0A875DC6D0F836B29F4CAB2710FD472ACAB3788DB61D7B7B45B8E19E9928F488FC963E4285339A7C4FAB17459D61A14944D3B1CD23FC561B8 > 797:d=1 hl=3 l= 129 prim: INTEGER > :BAABBB94D2174135393B0E6D64C992C97E05DFBE7D616675EF1F74D98D8F767FA8F > 6227EDA6CE6C988D60C5ED84072B09B6C69756A7F36E19BE8B7136A1EB623A66AEF2B9A03D43AC2F2E36A913F2AA475C152BAE927A5AE533A70C > 929:d=1 hl=3 l= 129 prim: INTEGER > :AC8A787B7951342A88FD7AC325ECA1DBBC167F7ECF50D3DC4EF003043212C2812E5 > AFE406D2E3DFAB2C3219FADAC723F45D273BE6B3B7E8B9EAB39A60B4A38AFF454B7C96147D48DB9D588AF417F9BC31D706CB209C3B2B49D35506 > 1061:d=1 hl=3 l= 129 prim: INTEGER > :BBD3149E16F8417CD2C183BA7D1B81FACE36A080509C9785455AAC5E8E1F9DD622D > FB89EC460F8F87B6221AE6F765B6B25588F211323187A74E68EF603FC4F703CC53E1BD74C3A07A2ED82F22555FD9CAD31BAE4582414C05FC9B06 > 1193:d=0 hl=2 l= 4 prim: appl [ 21 ] > 1199:d=0 hl=2 l= 107 cons: appl [ 18 ] > Error in encoding > 4516:error:0D07209B:asn1 encoding routines:ASN1_get_object:too > long:.\crypto\asn1\asn1_lib.c:142: > > ********************************************************************************************************************* >>openssl asn1parse -in certfirst.pem -i -dump > > 0:d=0 hl=4 l=1051 cons: SEQUENCE > 4:d=1 hl=4 l= 771 cons: SEQUENCE > 8:d=2 hl=2 l= 3 cons: cont [ 0 ] > 10:d=3 hl=2 l= 1 prim: INTEGER :02 > 13:d=2 hl=2 l= 1 prim: INTEGER :0C > 16:d=2 hl=2 l= 13 cons: SEQUENCE > 18:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption > 29:d=3 hl=2 l= 0 prim: NULL > 31:d=2 hl=2 l= 84 cons: SEQUENCE > 33:d=3 hl=2 l= 24 cons: SET > 35:d=4 hl=2 l= 22 cons: SEQUENCE > 37:d=5 hl=2 l= 3 prim: OBJECT :commonName > 42:d=5 hl=2 l= 15 prim: PRINTABLESTRING :test > 59:d=3 hl=2 l= 13 cons: SET > 61:d=4 hl=2 l= 11 cons: SEQUENCE > 63:d=5 hl=2 l= 3 prim: OBJECT :localityName > 68:d=5 hl=2 l= 4 prim: PRINTABLESTRING :test > 74:d=3 hl=2 l= 11 cons: SET > 76:d=4 hl=2 l= 9 cons: SEQUENCE > 78:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName > 83:d=5 hl=2 l= 2 prim: PRINTABLESTRING :NC > 87:d=3 hl=2 l= 15 cons: SET > 89:d=4 hl=2 l= 13 cons: SEQUENCE > 91:d=5 hl=2 l= 3 prim: OBJECT :organizationName > 96:d=5 hl=2 l= 6 prim: PRINTABLESTRING :test > 104:d=3 hl=2 l= 11 cons: SET > 106:d=4 hl=2 l= 9 cons: SEQUENCE > 108:d=5 hl=2 l= 3 prim: OBJECT :countryName > 113:d=5 hl=2 l= 2 prim: PRINTABLESTRING :test > 117:d=2 hl=2 l= 30 cons: SEQUENCE > 119:d=3 hl=2 l= 13 prim: UTCTIME :090605122816Z > 134:d=3 hl=2 l= 13 prim: UTCTIME :110605122816Z > 149:d=2 hl=3 l= 161 cons: SEQUENCE > 152:d=3 hl=2 l= 24 cons: SET > 154:d=4 hl=2 l= 22 cons: SEQUENCE > 156:d=5 hl=2 l= 3 prim: OBJECT :commonName > 161:d=5 hl=2 l= 15 prim: PRINTABLESTRING :test > 178:d=3 hl=2 l= 17 cons: SET > 180:d=4 hl=2 l= 15 cons: SEQUENCE > 182:d=5 hl=2 l= 3 prim: OBJECT :surname > 187:d=5 hl=2 l= 8 prim: PRINTABLESTRING :test > 197:d=3 hl=2 l= 15 cons: SET > 199:d=4 hl=2 l= 13 cons: SEQUENCE > 201:d=5 hl=2 l= 3 prim: OBJECT :givenName > 206:d=5 hl=2 l= 6 prim: PRINTABLESTRING :test > 214:d=3 hl=2 l= 13 cons: SET > 216:d=4 hl=2 l= 11 cons: SEQUENCE > 218:d=5 hl=2 l= 3 prim: OBJECT :localityName > 223:d=5 hl=2 l= 4 prim: PRINTABLESTRING :test > 229:d=3 hl=2 l= 15 cons: SET > 231:d=4 hl=2 l= 13 cons: SEQUENCE > 233:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName > 238:d=5 hl=2 l= 6 prim: PRINTABLESTRING :Mobile > 246:d=3 hl=2 l= 15 cons: SET > 248:d=4 hl=2 l= 13 cons: SEQUENCE > 250:d=5 hl=2 l= 3 prim: OBJECT :organizationName > 255:d=5 hl=2 l= 6 prim: PRINTABLESTRING :test > 263:d=3 hl=2 l= 11 cons: SET > 265:d=4 hl=2 l= 9 cons: SEQUENCE > 267:d=5 hl=2 l= 3 prim: OBJECT :countryName > 272:d=5 hl=2 l= 2 prim: PRINTABLESTRING :test > 276:d=3 hl=2 l= 35 cons: SET > 278:d=4 hl=2 l= 33 cons: SEQUENCE > 280:d=5 hl=2 l= 9 prim: OBJECT :emailAddress > 291:d=5 hl=2 l= 20 prim: IA5STRING :t...@test.net > 313:d=2 hl=4 l= 290 cons: SEQUENCE > 317:d=3 hl=2 l= 13 cons: SEQUENCE > 319:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption > 330:d=4 hl=2 l= 0 prim: NULL > 332:d=3 hl=4 l= 271 prim: BIT STRING > 0000 - 00 30 82 01 0a 02 82 01-01 00 a3 a4 d7 4b e2 be > .0...........K.. > 0010 - 77 c4 77 52 60 c1 de af-a4 15 40 67 b6 16 31 a5 > w.wr`.....@g..1. > 0020 - f4 01 a5 79 fe 33 8e 83-d4 87 82 3b aa 82 8e c8 > ...y.3.....;.... > 0030 - 34 6c bb f1 e8 c3 96 2f-2e 7e f0 ed e6 a9 d6 e7 > 4l...../.~...... > 0040 - a7 5d 7d fe 20 bd 19 45-2c 5d 7d c6 8c 44 40 f4 .]}. > ..E,]}...@. > 0050 - 84 79 84 11 de 81 c4 d6-63 98 55 a5 4b 3d cf 0a > .y......c.U.K=.. > 0060 - 95 65 c5 45 4c 48 29 d7-af 95 a1 ae ab f9 6e 44 > .e.ELH).......nD > 0070 - 9d 8a 70 74 47 b0 dc a5-07 4f b4 67 a3 e2 72 b9 > ..ptG....O.g..r. > 0080 - bb e7 be 43 c5 8a 6b ed-f2 d3 4d 42 cc 9b 02 de > ...C..k...MB.... > 0090 - de 29 c1 70 db df 5b 69-0c 51 eb ca 0d eb 09 52 > .).p..[i.Q.....R > 00a0 - 9e 6e 99 cf 0b e9 ec 25-53 f0 b0 76 e7 18 3e 84 > .n.....%S..v..>. > 00b0 - f3 60 95 88 cf 2d 0d 15-da 8b 2d c6 7a 65 2b 8a > .`...-....-.ze+. > 00c0 - c7 a5 65 ab fd fc da 01-81 26 4f bb 59 fb fc f1 > ..e......&O.Y... > 00d0 - 5e d8 20 70 9b 18 22 23-f5 d4 38 53 70 8f 60 4d ^. > p.."#..8Sp.`M > 00e0 - 3b 29 3f fb d9 25 a1 19-a3 35 00 86 1a bb 81 78 > ;)?..%...5.....x > 00f0 - 5d bc 08 e5 d0 00 21 ac-50 fe 9f ae 7f d3 b4 75 > ].....!.P......u > 0100 - e7 29 e1 8c 42 22 ea 2e-db 9f 02 03 01 00 01 > .)..B"......... > 607:d=2 hl=3 l= 169 cons: cont [ 3 ] > 610:d=3 hl=3 l= 166 cons: SEQUENCE > 613:d=4 hl=2 l= 31 cons: SEQUENCE > 615:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key > Identifier > 620:d=5 hl=2 l= 24 prim: OCTET STRING > 0000 - 30 16 80 14 a1 79 be c5-4b c1 76 ef 9a f8 a9 c9 > 0....y..K.v..... > 0010 - 90 2f ac 6b d4 e6 13 21- ./.k...! > 646:d=4 hl=2 l= 14 cons: SEQUENCE > 648:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage > 653:d=5 hl=2 l= 1 prim: BOOLEAN :255 > 656:d=5 hl=2 l= 4 prim: OCTET STRING > 0000 - 03 02 06 c0 .... > 662:d=4 hl=2 l= 31 cons: SEQUENCE > 664:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject > Alternative Name > 669:d=5 hl=2 l= 24 prim: OCTET STRING > 0000 - 30 16 81 14 66 64 65 70-69 65 72 72 65 40 61 72 0...t...@te > 0010 - 6b 6f 6f 6e 2e 6e 65 74- st.net > 695:d=4 hl=2 l= 29 cons: SEQUENCE > 697:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key > Usage > 702:d=5 hl=2 l= 22 prim: OCTET STRING > 0000 - 30 14 06 08 2b 06 01 05-05 07 03 04 06 08 2b 06 > 0...+.........+. > 0010 - 01 05 05 07 03 02 ...... > 726:d=4 hl=2 l= 51 cons: SEQUENCE > 728:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution > Points > 733:d=5 hl=2 l= 44 prim: OCTET STRING > 0000 - 30 2a 30 28 a0 26 a0 24-86 22 68 74 74 70 3a 2f > 0*0(.&.$."http:/ > 0010 - 2f 63 72 6c 2e 61 72 6b-6f 6f 6e 2e 6e 65 74 2f > /crl.test.net/ > 0020 - 61 72 6b 6f 6f 6e 68 77-2e 63 72 6c testhw.crl > 779:d=1 hl=2 l= 13 cons: SEQUENCE > 781:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption > 792:d=2 hl=2 l= 0 prim: NULL > 794:d=1 hl=4 l= 257 prim: BIT STRING > 0000 - 00 0e d0 4c 77 d8 52 91-69 35 83 84 2c d3 74 66 > ...Lw.R.i5..,.tf > 0010 - 50 b7 4e 6b a2 e3 58 37-72 ef 4c 46 4d ac da ab > P.Nk..X7r.LFM... > 0020 - 96 36 cf 6d d0 c3 32 85-45 5c 1a bd 73 4c e1 af > .6.m..2.E\..sL.. > 0030 - e1 88 8d ec d2 69 4f be-9c 94 c8 68 1d bd 48 08 > .....iO....h..H. > 0040 - 85 e1 b9 7e 87 9e 25 be-25 6c 84 81 ea 42 07 7e > ...~..%.%l...B.~ > 0050 - 7c 39 18 0e 73 5e 23 11-23 a7 70 01 cf 61 8f 8b > |9..s^#.#.p..a.. > 0060 - d5 42 a0 f6 f3 3d 44 ef-b8 21 37 67 1f 9e 0e 4e > .B...=D..!7g...N > 0070 - ce 6c f2 d8 90 02 95 38-61 f6 df 27 5b 4f 65 87 > .l.....8a..'[Oe. > 0080 - f3 6b 7a ce d0 f9 f4 41-c4 c5 af be 39 76 37 36 > .kz....A....9v76 > 0090 - ab c6 c9 b6 0a e7 37 73-b7 43 6a 46 f8 23 a7 39 > ......7s.CjF.#.9 > 00a0 - fd 12 d8 89 9c f5 3d 24-d5 95 03 89 9a 87 3f 62 > ......=$......?b > 00b0 - ad 19 8e 94 ac ba 93 71-33 5a f3 bc 48 a3 23 51 > .......q3Z..H.#Q > 00c0 - da d2 54 99 87 fc 9a 5c-44 c2 64 4a 70 1f cc 2d > ..T....\D.dJp..- > 00d0 - 29 80 c0 f2 9d a5 e7 9f-e3 c2 cf 22 2f bb ca 6a > ).........."/..j > 00e0 - 67 b6 0e 6b d0 be 3c 56-70 08 c5 3b b5 53 df f6 > g..k..<Vp..;.S.. > 00f0 - 6c 17 c1 07 69 bf 9a fb-4c f5 d1 d9 b7 38 f0 6b > l...i...L....8.k > 0100 - 1d > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
