Hello, If I create a PKCS12 keystore file, using Java 1.5, where the keystore file contains a private key, a certificate containing the public key and a self-signed certificate used to sign the first certificate, I have a problem parsing the PKCS12 file using the PKCS12_parse() function. The problem is that the client certificate returned is that of the self-signed certificate instead of the certificate containing the public key associated with the private key.
This problem was reported as bug 1034 back in 2005 but not fixed and I did not
understand Steve's comment from April 05, 2005 which stated "That looks like a
highly broken PKCS#12 file. The localKeyID attribute
is supposed to be only used between the private key and corresponding
certificate. In that case *every* certificate has a matching localKeyID.". The
locakKeyID looks different between the CA certificate and client certificate
for the certificates listed in bug 1034 and the client certificate localKeyID
matches that for the private key.
Also, this problem was already discussed recently, without resolution, in the
openssl-dev discussion, around Jul 09, 2008 with the subject of "Compatibility
of client PKCS#12 files".
Thank you in advance for any resolution to this problem.
================
Note, the keystore was created using the Java API of
java.security.KeyStore.setKeyEntry() to store the private key and the
associated certificate chain:
public final void setKeyEntry(String alias, byte[] key, Certificate[] chain)
throws KeyStoreException
Assigns the given key (that has already been protected) to the given alias.
If the protected key is of type java.security.PrivateKey, it must be
accompanied by a certificate chain certifying
the corresponding public key. If the underlying keystore implementation is of
type jks, key must be encoded as
an EncryptedPrivateKeyInfo as defined in the PKCS #8 standard. If the given
alias already exists, the keystore
information associated with it is overridden by the given key (and possibly
certificate chain).
Parameters:
alias - the alias name
key - the key (in protected format) to be associated with the alias
chain - the certificate chain for the corresponding public key (only useful
if the protected key is of type
java.security.PrivateKey).
Throws:
KeyStoreException - if the keystore has not been initialized (loaded), or
if this operation fails for some other
reason.
_________________________________________________________________
Time for vacation? WIN what you need- enter now!
http://www.gowindowslive.com/summergiveaway/?ocid=tag_jlyhm
|
Hello, If I create a PKCS12 keystore file, using Java 1.5, where the keystore file contains a private key, a certificate containing the public key and a self-signed certificate used to sign the first certificate, I have a problem parsing the PKCS12 file using the PKCS12_parse() function. The problem is that the client certificate returned is that of the self-signed certificate instead of the certificate containing the public key associated with the private key. This problem was reported as bug 1034 back in 2005 but not fixed and I did not understand Steve's comment from April 05, 2005 which stated "That looks like a highly broken PKCS#12 file. The localKeyID attribute is supposed to be only used between the private key and corresponding certificate. In that case *every* certificate has a matching localKeyID.". The locakKeyID looks different between the CA certificate and client certificate for the certificates listed in bug 1034 and the client certificate localKeyID matches that for the private key. Also, this problem was already discussed recently, without resolution, in the openssl-dev discussion, around Jul 09, 2008 with the subject of "Compatibility of client PKCS#12 files". Thank you in advance for any resolution to this problem. ================ Note, the keystore was created using the Java API of java.security.KeyStore.setKeyEntry() to store the private key and the associated certificate chain: public final void setKeyEntry(String alias, byte[] key, Certificate[] chain) throws KeyStoreException Assigns the given key (that has already been protected) to the given alias. If the protected key is of type java.security.PrivateKey, it must be accompanied by a certificate chain certifying the corresponding public key. If the underlying keystore implementation is of type jks, key must be encoded as an EncryptedPrivateKeyInfo as defined in the PKCS #8 standard. If the given alias already exists, the keystore information associated with it is overridden by the given key (and possibly certificate chain). Parameters: alias - the alias name key - the key (in protected format) to be associated with the alias chain - the certificate chain for the corresponding public key (only useful if the protected key is of type java.security.PrivateKey). Throws: KeyStoreException - if the keystore has not been initialized (loaded), or if this operation fails for some other reason. Time for vacation? WIN what you need. Enter Now! |
