Re: How to get a stack of CA certificates from PKCS12_parse?

Thu, 13 Jan 2005 09:00:41 -0800 

On Thu, Jan 13, 2005, [EMAIL PROTECTED] wrote:

> Hello all,
> 
>       I want to load and parse certificates from a file(.p12) using 
> d2i_PKCS12_fp(..) and PKCS12_parse(..). The file contains two certificates. I 
> want to obtain all of the certificates from the file. But after I called 
> PKCS12_parse(..) I only got one certificate. I couldn't get the stack of CA 
> certificates. The prototype of PKCS12_parse() is like this:
>  
> PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, 
> STACK_OF(X509) **ca)  
> 
> After I called the function I only got pkey and cert. The content of *ca
> was empty and PKCS12_parse only allocated memory to *ca. But it didn't fill
> *ca with certificates. My code looked like the following:    
>      
>       PKCS12  *p12;
>       X509 *cert;
>       STACK_OF(X509) *ca = NULL;
>       EVP_PKEY * privateKey;
>       EVP_PKEY * publicKey; 
>       char * keypass = generatePW(); // get password
>       FILE * fp = fopen(filename, "rb");
>       if (!fp)
>           printf("Error opening file %s ",filename);
>       p12 = d2i_PKCS12_fp(fp, NULL);
>       if (!PKCS12_parse(p12, keypass, &privateKey, &cert, &ca ))
>       {
>           printf("Error parsing PKCS12 file");
>       }
>       if (ca) 
>           printf(" ca is not null!");
>       else
>           printf("ca is null!");
>        if (cert)
>            publicKey = X509_get_pubkey(cert);
> 
>        if ((!privateKey) || (!publicKey))
>        {
>             printf("private key or public key is NULL!");
>        }
>         unsigned int cert_num = ((STACK *)ca)->num;
>         printf("number of certificates in CA chain=%d", cert_num");
> 
>         After running it, it prints:
> 
>          ca is not null!
>          number of certificates in CA chain=0
> 
> 
> It looked like that ca was not null but it was empty. I am expecting 
> PKCS12_parse to fill ca with additional certificates. But it didn't. 
> Any help is appreciated!


Use sk_X509_num() on the ca stack instead of messing around with internals.

Seek if the other certificates can be extracted using the pkcs12 utility.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to