'0.9.8 Finds Extra Cert in PKCS12 File, But Can't Use it; Works in 0.9.7d'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    0.9.8 Finds Extra Cert in PKCS12 File, But Can't Use it; Works in 0.9.7d
From:       "Martin Del Vecchio" <marty () backshore ! com>
Date:       2005-09-27 14:12:31
Message-ID: 11E5C74B8659564BA36B6E72B24F6A91043FCF () newserver ! backshore ! com
[Download RAW message or body]

I am using a PKCS12-format file generated by the Microsoft Windows CA.
It has a private key, a certificate,
and an extra CA certificate.

I use d2i_PKCS12_fp() to read the file, and PKCS12_parse() to parse it.
PKCS12_parse() sets the pointers
for the private key, the cert, and the CA.

I then call sk_X509_value (&CA, 0) to get the first CA certificate, and
it returns a valid pointer.  
I then sk_X509_pop() each entry in the CA stack, and call
SSL_CTX_add_extra_chain_cert() to add it
to my context.

With OpenSSL 0.9.7d, SSL_CTX_add_extra_chain_cert() returns 1,
indicating success.

With OpenSSL 0.9.8, SSL_CTX_add_extra_chain_cert() returns 0, indicating
failure.  However, there are no
errors in the error queue, and ERR_print_errors_fp() reports nothing.

When I run the openssl pkcs12 command with 0.9.7d, it looks like this:

   # openssl pkcs12 -in cxc.mlb.com.pfx  -info
   Enter Import Password:
   MAC Iteration 1
   MAC verified OK
   PKCS7 Data
   Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
   Bag Attributes
       1.3.6.1.4.1.311.17.2: <No Values>
       localKeyID: 01 00 00 00
       Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
       friendlyName:
7def5b436cabd002dd2903b1686c7948_46f26fd4-812d-4efb-8088-45ab919107cc
   Key Attributes
       X509v3 Key Usage: 10
   Enter PEM pass phrase:
   Verifying - Enter PEM pass phrase:
   -----BEGIN RSA PRIVATE KEY-----
   Proc-Type: 4,ENCRYPTED
   DEK-Info: DES-EDE3-CBC,E49716C0F02AB00F

   shT7Ymq05PXHe6TXYDk2eroeFofi/H4ct8qKTTMbARfotFlujD4ixrOkgvWuRG1u

   ** snip **

   oHDx4uOJlHAa5pEFDAE1mqSwRvfbRojx2hMkiXlN0cK+aqRoqYsW7Q==
   -----END RSA PRIVATE KEY-----
   PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
   Certificate bag
   Bag Attributes
       localKeyID: 01 00 00 00
       friendlyName: new
   subject=/CN=cxc.mlb.com
   issuer=/DC=com/DC=MLB/CN=lcsserv1
   -----BEGIN CERTIFICATE-----
   MIIFMjCCBBqgAwIBAgIKYSZ6CQAAAAAAFTANBgkqhkiG9w0BAQUFADA9MRMwEQYK

   ** snip **

   Do1eYjre1o+ahLG+BeXYIH/Qu1ji5x0wZJX2a8TiA4VpXhwD9ck=
   -----END CERTIFICATE-----
   Certificate bag
   Bag Attributes: <Empty Attributes>
   subject=/DC=com/DC=MLB/CN=lcsserv1
   issuer=/DC=com/DC=MLB/CN=lcsserv1
   -----BEGIN CERTIFICATE-----
   MIIEaTCCA1GgAwIBAgIQByVXJYGI/rZEAV3wdgNBSDANBgkqhkiG9w0BAQUFADA9

   ** snip **

   B40LfH3n87FnVXy1KUwVsmK6I4WFnyYurNm1huQ=
   -----END CERTIFICATE-----

When I run the openssl pkcs12 command with 0.9.8, it looks like this:

   # ./openssl pkcs12 -in cxc.mlb.com.pfx  -info
   Enter Import Password:
   MAC Iteration 1
   MAC verified OK
   PKCS7 Data
   Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
   Bag Attributes
       1.3.6.1.4.1.311.17.2: <No Values>
       localKeyID: 01 00 00 00
       Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
       friendlyName:
7def5b436cabd002dd2903b1686c7948_46f26fd4-812d-4efb-8088-45ab919107cc
   Key Attributes
       X509v3 Key Usage: 10
   Enter PEM pass phrase:
   Verifying - Enter PEM pass phrase:
   -----BEGIN RSA PRIVATE KEY-----
   Proc-Type: 4,ENCRYPTED
   DEK-Info: DES-EDE3-CBC,79EAB63559D83A08
   
   dJkKJSTV03Y4nIXIRKRXnqy7P1EomM3eP4ENUYFrF07ouMxZpwJ7STMGyEogtI4/
   
   ** snip **

   KrYxIQlxhr97dF988KAdkNZWKJcs2CgF3jwFR3KVAblq4ebbphel/g==
   -----END RSA PRIVATE KEY-----
   PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
   Certificate bag
   Bag Attributes
       localKeyID: 01 00 00 00
       friendlyName: new
   subject=/CN=cxc.mlb.com
   issuer=/DC=com/DC=MLB/CN=lcsserv1
   -----BEGIN CERTIFICATE-----
   MIIFMjCCBBqgAwIBAgIKYSZ6CQAAAAAAFTANBgkqhkiG9w0BAQUFADA9MRMwEQYK
   
   ** snip **
   
   Do1eYjre1o+ahLG+BeXYIH/Qu1ji5x0wZJX2a8TiA4VpXhwD9ck=
   -----END CERTIFICATE-----
   Certificate bag
   Bag Attributes: <Empty Attributes>
   subject=/DC=com/DC=MLB/CN=lcsserv1
   issuer=/DC=com/DC=MLB/CN=lcsserv1
   -----BEGIN CERTIFICATE-----
   MIIEaTCCA1GgAwIBAgIQByVXJYGI/rZEAV3wdgNBSDANBgkqhkiG9w0BAQUFADA9
   
   ** snip **

   B40LfH3n87FnVXy1KUwVsmK6I4WFnyYurNm1huQ=
   -----END CERTIFICATE-----

I'm no certificate expert, but those look equivalent to me.  That tells
me that PKCS12 support isn't 
fundamentally broken in 0.9.8.  But what would cause my code that works
fine with 0.9.7d to fail
with 0.9.8?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic