[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-users
Subject: 0.9.8 Finds Extra Cert in PKCS12 File, But Can't Use it; Works in 0.9.7d
From: "Martin Del Vecchio" <marty () backshore ! com>
Date: 2005-09-27 14:12:31
Message-ID: 11E5C74B8659564BA36B6E72B24F6A91043FCF () newserver ! backshore ! com
[Download RAW message or body]
I am using a PKCS12-format file generated by the Microsoft Windows CA.
It has a private key, a certificate,
and an extra CA certificate.
I use d2i_PKCS12_fp() to read the file, and PKCS12_parse() to parse it.
PKCS12_parse() sets the pointers
for the private key, the cert, and the CA.
I then call sk_X509_value (&CA, 0) to get the first CA certificate, and
it returns a valid pointer.
I then sk_X509_pop() each entry in the CA stack, and call
SSL_CTX_add_extra_chain_cert() to add it
to my context.
With OpenSSL 0.9.7d, SSL_CTX_add_extra_chain_cert() returns 1,
indicating success.
With OpenSSL 0.9.8, SSL_CTX_add_extra_chain_cert() returns 0, indicating
failure. However, there are no
errors in the error queue, and ERR_print_errors_fp() reports nothing.
When I run the openssl pkcs12 command with 0.9.7d, it looks like this:
# openssl pkcs12 -in cxc.mlb.com.pfx -info
Enter Import Password:
MAC Iteration 1
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
1.3.6.1.4.1.311.17.2: <No Values>
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
friendlyName:
7def5b436cabd002dd2903b1686c7948_46f26fd4-812d-4efb-8088-45ab919107cc
Key Attributes
X509v3 Key Usage: 10
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E49716C0F02AB00F
shT7Ymq05PXHe6TXYDk2eroeFofi/H4ct8qKTTMbARfotFlujD4ixrOkgvWuRG1u
** snip **
oHDx4uOJlHAa5pEFDAE1mqSwRvfbRojx2hMkiXlN0cK+aqRoqYsW7Q==
-----END RSA PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Certificate bag
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: new
subject=/CN=cxc.mlb.com
issuer=/DC=com/DC=MLB/CN=lcsserv1
-----BEGIN CERTIFICATE-----
MIIFMjCCBBqgAwIBAgIKYSZ6CQAAAAAAFTANBgkqhkiG9w0BAQUFADA9MRMwEQYK
** snip **
Do1eYjre1o+ahLG+BeXYIH/Qu1ji5x0wZJX2a8TiA4VpXhwD9ck=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <Empty Attributes>
subject=/DC=com/DC=MLB/CN=lcsserv1
issuer=/DC=com/DC=MLB/CN=lcsserv1
-----BEGIN CERTIFICATE-----
MIIEaTCCA1GgAwIBAgIQByVXJYGI/rZEAV3wdgNBSDANBgkqhkiG9w0BAQUFADA9
** snip **
B40LfH3n87FnVXy1KUwVsmK6I4WFnyYurNm1huQ=
-----END CERTIFICATE-----
When I run the openssl pkcs12 command with 0.9.8, it looks like this:
# ./openssl pkcs12 -in cxc.mlb.com.pfx -info
Enter Import Password:
MAC Iteration 1
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
1.3.6.1.4.1.311.17.2: <No Values>
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
friendlyName:
7def5b436cabd002dd2903b1686c7948_46f26fd4-812d-4efb-8088-45ab919107cc
Key Attributes
X509v3 Key Usage: 10
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,79EAB63559D83A08
dJkKJSTV03Y4nIXIRKRXnqy7P1EomM3eP4ENUYFrF07ouMxZpwJ7STMGyEogtI4/
** snip **
KrYxIQlxhr97dF988KAdkNZWKJcs2CgF3jwFR3KVAblq4ebbphel/g==
-----END RSA PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Certificate bag
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: new
subject=/CN=cxc.mlb.com
issuer=/DC=com/DC=MLB/CN=lcsserv1
-----BEGIN CERTIFICATE-----
MIIFMjCCBBqgAwIBAgIKYSZ6CQAAAAAAFTANBgkqhkiG9w0BAQUFADA9MRMwEQYK
** snip **
Do1eYjre1o+ahLG+BeXYIH/Qu1ji5x0wZJX2a8TiA4VpXhwD9ck=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <Empty Attributes>
subject=/DC=com/DC=MLB/CN=lcsserv1
issuer=/DC=com/DC=MLB/CN=lcsserv1
-----BEGIN CERTIFICATE-----
MIIEaTCCA1GgAwIBAgIQByVXJYGI/rZEAV3wdgNBSDANBgkqhkiG9w0BAQUFADA9
** snip **
B40LfH3n87FnVXy1KUwVsmK6I4WFnyYurNm1huQ=
-----END CERTIFICATE-----
I'm no certificate expert, but those look equivalent to me. That tells
me that PKCS12 support isn't
fundamentally broken in 0.9.8. But what would cause my code that works
fine with 0.9.7d to fail
with 0.9.8?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic