Hi,
I'm referring to the changes in "Changes between 0.9.8n and 1.0.0 [29 Mar
2010]":
*) Alter match criteria in PKCS12_parse(). It used to try to use local
key ids to find matching certificates and keys but some PKCS#12 files
don't follow the (somewhat unwritten) rules and this strategy fails.
Now just gather all certificates together and the first private key
then look for the first certificate that matches the key.
[Steve Henson]
The changes above are not applied to the PKCS tools in pkcs12.c. In pkcs12.c at
line about 975, it checks whether the cert has a localKeyId. If it does and if
user requests to show the CACERT, it skips the cert dumping steps. For example:
test.pfx contains one CA cert (with local key id defined) and one client cert
and private keys.
Case 1:
command: openssl pkcs12 -in test.pfx -out test.txt -nokeys -cacerts
result: test.txt is empty
Case 2:
command: openssl pkcs12 -in test.pfx -out test.txt -nokeys -clcerts
result: test.txt contains two certificates (the CA and the client certs)
openssl version - openssl-1.0.0e
Please let me know if this is a bug.
Thanks.
Regards,
Low, Sze Hau
=====================================================================
DISCLAIMER :
This e-mail and any accompanying attachments contain confidential
information and may be privileged.
It is intended solely for the addressee(s). If you are not the named
addressee(s), you may not use, review, disclose,
forward, retain or copy any part of it. If you have received this email and
any accompanying attachments in error,
please delete them and all copies from your system and notify the sender or
administra...@genting.com
<<mailto:administra...@genting.com>> by e-mail immediately. Internet communications cannot be guaranteed to be timely, secure, error-free or virus-free. The Genting Group does not accept liability for any errors or omissions or for any loss or damage arising from this e-mail transmission or from any use of this email or its attachments. Thank you. =====================================================================
Hi,
I'm referring to the
changes in "Changes between 0.9.8n and 1.0.0 [29 Mar
2010]":
*) Alter match criteria in PKCS12_parse(). It used to
try to use local
key ids to find matching certificates and keys but some PKCS#12 files
don't follow the (somewhat unwritten) rules and this strategy fails.
Now just gather all certificates together and the first private key
then look for the first certificate that matches the key.
[Steve Henson]
key ids to find matching certificates and keys but some PKCS#12 files
don't follow the (somewhat unwritten) rules and this strategy fails.
Now just gather all certificates together and the first private key
then look for the first certificate that matches the key.
[Steve Henson]
The changes above
are not applied to the PKCS tools in pkcs12.c. In pkcs12.c at line about 975, it
checks whether the cert has a localKeyId. If it does and if user
requests to show the CACERT, it skips the cert dumping steps. For
example:
test.pfx contains
one CA cert (with local key id defined) and one client cert and
private keys.
Case
1:
command: openssl
pkcs12 -in test.pfx -out test.txt -nokeys -cacerts
result: test.txt is
empty
Case
2:
command: openssl
pkcs12 -in test.pfx -out test.txt -nokeys -clcerts
result: test.txt
contains two certificates (the CA and the client
certs)
openssl
version - openssl-1.0.0e
Please let me know
if this is a bug.
Thanks.
Regards,
Low, Sze
Hau
=====================================================================DISCLAIMER :
This e-mail and any accompanying attachments contain confidential information and may be privileged.
It is intended solely for the addressee(s). If you are not the named addressee(s), you may not use, review, disclose,
forward, retain or copy any part of it. If you have received this email and any accompanying attachments in error,
please delete them and all copies from your system and notify the sender or administra...@genting.com
<<mailto:administra...@genting.com>> by e-mail immediately.
Internet communications cannot be guaranteed to be timely, secure, error-free or virus-free.
The Genting Group does not accept liability for any errors or omissions or for any loss or damage arising
from this e-mail transmission or from any use of this email or its attachments.
Thank you.
=====================================================================
