On Sun, Jul 23, 2006, Martin Husemann wrote: > Hi folks, > > I have the strong feeling this *has* to be a FAQ, but google was unhelpfull, > so let me try to ask it here: > > I have various code signing certificates from different CAs, in evil > M$ .spc/.pvk format. I'm effectively looking for a way to convert those > into standard pkcs#12 format (so the mozilla tools will be able to use > them). > > Now I found the PKCS#12 faq at > > http://www.drh-consultancy.demon.co.uk/pkcs12faq.html > > and the "pvk" utility, which I compiled and linked with openssl - and used > it to convert the .pvk part (the private key) into PEM format. So the > difficult part is already done ;-) > > Now, above FAQ says: > > Q. What are SPC files? > A. They are simply DER encoded PKCS#7 files containing the certificates. > Well they are in the newer versions of the tools. The older versions > used an invalid PKCS#7 format. > > And indeed, when I run: > > openssl pkcs7 -inform DER -in code_signing.spc -print_certs > > it says: > > unable to load PKCS7 object > 3859:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong > tag:/usr/src/crypto/dist/openssl/crypto/asn1/tasn_dec.c:1290: > 3859:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 > error:/usr/src/crypto/dist/openssl/crypto/asn1/tasn_dec.c:380:Type=PKCS7 > > Is this error the same as "The older versions used an invalid PKCS#7 format."? > All this certificates have been created by different commercial CAs within > the last few months, so I would hope not - but with this "proprietary" formats > you never know. > > Any chance to extract and convert the certificate? >
There are several possibilities. You may be able to get the MS Authenticode tools to extract the certificates in a readable format. If you are in luck the MS PKCS#7 import stuff in the MSIE certificate wizard might tolerate the brokenness. If so you should be able to see the certificate chain and save whatever certificates you need to. Alternatively you might be able to retrieve them from the CAs again. You could try signing a DLL using authenticode tools and extracting a certificate from that. Another option is to try to get the certificate bit from the SPC file and ignore the invalid bits. If you try: openssl asn1parse -inform DER -in file.spc and you get something useful you may seen the offset the certificate starts at. Using that you can use the asn1parse tool to pull it out then make sure it is a valid certificate using the x509 tool. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
