Thanks for looking at this. I was insisting that nobody (in practice) puts CRLs inside of a PKCS12. Nobody does that... I could find no evidence that this is ever done, nor was there any support for this deviant behavior. ;-)
I was handed a specification to implement that had CRLs inside of PKCS12. From the beginning, I doubted the writers of that specification knew what they were doing. And I expect that they don't have any test data, either. Over the last few days, I had being doing exactly what you suggested, a messy manual parsing process. I have achieved success in building a PKCS12 with CRLs and success in parsing that PKCS12. Again, thanks for looking at this and validating what I have been thinking and feeling about putting CRLs into PKCS12s. -Rick On Mon, Nov 14, 2016 at 2:11 PM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Wed, Nov 02, 2016, Richard Stanek wrote: > >> My original requirements were to extract the user certificate, the >> private key, and the CAs. For that I was using the call to >> PKCS12_parse(...). This satisfied the original requirements. Very >> easy to find, understand, and use. >> >> The new requirements that I have are that I also need to extract a CRL >> from that PKCS12. I see that there is a CRLBag defined in the IETF >> RFC 7292 PKCS12 Standard (https://tools.ietf.org/html/rfc7292), so I >> know a CRL could exist inside a PKCS12. I can't seem to find any API >> or C++ examples that extract a CRL from a PKSC12. >> >> Is there an API, example code, or advice on how to extract a CRL from a >> PKCS12? >> > > I've never come across a PKCS#12 file containig a CRL before: would it be > possible to send me a sample which obviously doesn't contain any important > private keys. > > To answer your question, yes it is should be possible but it is messy. You > need to parse the PKCS#12 file manually (see source to PKCS12_parse). In > the funtion parse_bag you add an extra case for NID_crlBag and call > PKCS12_SAFEBAG_get1_crl() on the bag, you should then get back an X509_CRL > pointer or NULL on error. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
