I'm trying to extract the cert/private key pair from a pkcs#12 file using
the PKCS12_parse method. It works fine for most p12 I used before, then I
ran into a strange p12 which doesnt work (returned cert & pkey are both
NULL).
Its structure is :
*********************************************************************************************************************
>openssl pkcs12 -in "User.p12" -info
Enter Import Password:
MAC Iteration 2000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
localKeyID: 01 00 00 00
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,54F8D05BE328D3E7
n377+hfeUZS2[...]
-----END RSA PRIVATE KEY-----
Certificate bag
Bag Attributes
localKeyID: 01 00 00 00
subject=/CN=User
User/SN=User/GN=User/L=Lyon/OU=Mobile/O=test/C=FR/emailaddress=u...@test.net
issuer=/CN=test/L=Paris/OU=NC/O=test/C=FR
-----BEGIN CERTIFICATE-----
MIIEGzCCAwO[...]
-----END CERTIFICATE-----
*********************************************************************************************************************
It seems to me that this p12 file could be broken, as i usually use p12 file
containing first a cert bag then a shrouded bag. This LocalKeyID seems
strange too, maybe it's the source of the problem ?
Import it in IE or firefox works fine though, so I tried to debug the inside
of PKCS12_parse to find where the parsing fails.
As far as I understand it, the Bag order makes the asn1 parsing fail at a
point, some tests using "openssl asn1parse" command on a file containing the
certificate PEM block first then the private-key PEM block, the parsing
succeeds. When running the same command on a file containing the private-key
PEM block first then the certificate PEM block it fails (same order as in my
p12 file). These calls are logged below.
.
I couldn't understand in the pkcs#12 norm if this order is wrong or not in
term of asn1 syntax so I wrote this little post :) .
Could someone (in)-validate this analysis and eventually explain the whys
and hows of this issue please.
Thanks in advance,
Nicolas Pelloux-Prayer
*********************************************************************************************************************
>openssl asn1parse -in keyfirst.pem -i -dump
0:d=0 hl=4 l=1189 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :00
7:d=1 hl=4 l= 257 prim: INTEGER
:A3A4D74BE2BE77C4775260C1DEAFA4154067B61631A5F401A579FE338E83D487823
BD19452C5D7DC68C4440F484798411DE81C4D6639855A54B3DCF0A9565C5454C4829D7AF95A1AEABF96E449D8A707447B0DCA5074FB467A3E272
C51EBCA0DEB09529E6E99CF0BE9EC2553F0B076E7183E84F3609588CF2D0D15DA8B2DC67A652B8AC7A565ABFDFCDA0181264FBB59FBFCF15ED82
1ABB81785DBC08E5D00021AC50FE9FAE7FD3B475E729E18C4222EA2EDB9F
268:d=1 hl=2 l= 3 prim: INTEGER :010001
273:d=1 hl=4 l= 256 prim: INTEGER
:3D6D8E67ED08A47ABA73D0E05590471EB71B774DA37B713A00FCE740413A195878B
4F2EA239C22A899273B89250FC306868C6FBB5A293376B21F064BCCB51F5984AC737F5BFF2824BC8408C74F352595E3CDF162458B741B839DBB2
AD20021607B0608E56091D26B95B8C62658757F9D57113D186AC72CC6422EDA3A5872B47E0F3B219900F37E8706908014F8CB2DFC6F24BE932BA
FD04218FB5BD6A0B6693925B25D0B165BA493E5913D53092645578892429
533:d=1 hl=3 l= 129 prim: INTEGER
:E773A7413DEE5B82C3E4468A13D2C30D8303091CA73F2DF455DE3420C57E58A809F
C9192DDD46333A1D3614CEDAF29326EF1CF062F4377E89278A8F3E984A9B323E56D8AE2D87EA76D698D04B9B2E78DE51208A6B44EB4FB9029C99
665:d=1 hl=3 l= 129 prim: INTEGER
:B50013F4A1D44EE350073A32BB7E616981EA22085EEF237FBCA6C4A86B8D61A1B50
FBD0A875DC6D0F836B29F4CAB2710FD472ACAB3788DB61D7B7B45B8E19E9928F488FC963E4285339A7C4FAB17459D61A14944D3B1CD23FC561B8
797:d=1 hl=3 l= 129 prim: INTEGER
:BAABBB94D2174135393B0E6D64C992C97E05DFBE7D616675EF1F74D98D8F767FA8F
6227EDA6CE6C988D60C5ED84072B09B6C69756A7F36E19BE8B7136A1EB623A66AEF2B9A03D43AC2F2E36A913F2AA475C152BAE927A5AE533A70C
929:d=1 hl=3 l= 129 prim: INTEGER
:AC8A787B7951342A88FD7AC325ECA1DBBC167F7ECF50D3DC4EF003043212C2812E5
AFE406D2E3DFAB2C3219FADAC723F45D273BE6B3B7E8B9EAB39A60B4A38AFF454B7C96147D48DB9D588AF417F9BC31D706CB209C3B2B49D35506
1061:d=1 hl=3 l= 129 prim: INTEGER
:BBD3149E16F8417CD2C183BA7D1B81FACE36A080509C9785455AAC5E8E1F9DD622D
FB89EC460F8F87B6221AE6F765B6B25588F211323187A74E68EF603FC4F703CC53E1BD74C3A07A2ED82F22555FD9CAD31BAE4582414C05FC9B06
1193:d=0 hl=2 l= 4 prim: appl [ 21 ]
1199:d=0 hl=2 l= 107 cons: appl [ 18 ]
Error in encoding
4516:error:0D07209B:asn1 encoding routines:ASN1_get_object:too
long:.\crypto\asn1\asn1_lib.c:142:
*********************************************************************************************************************
>openssl asn1parse -in certfirst.pem -i -dump
0:d=0 hl=4 l=1051 cons: SEQUENCE
4:d=1 hl=4 l= 771 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 1 prim: INTEGER :0C
16:d=2 hl=2 l= 13 cons: SEQUENCE
18:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
29:d=3 hl=2 l= 0 prim: NULL
31:d=2 hl=2 l= 84 cons: SEQUENCE
33:d=3 hl=2 l= 24 cons: SET
35:d=4 hl=2 l= 22 cons: SEQUENCE
37:d=5 hl=2 l= 3 prim: OBJECT :commonName
42:d=5 hl=2 l= 15 prim: PRINTABLESTRING :test
59:d=3 hl=2 l= 13 cons: SET
61:d=4 hl=2 l= 11 cons: SEQUENCE
63:d=5 hl=2 l= 3 prim: OBJECT :localityName
68:d=5 hl=2 l= 4 prim: PRINTABLESTRING :test
74:d=3 hl=2 l= 11 cons: SET
76:d=4 hl=2 l= 9 cons: SEQUENCE
78:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
83:d=5 hl=2 l= 2 prim: PRINTABLESTRING :NC
87:d=3 hl=2 l= 15 cons: SET
89:d=4 hl=2 l= 13 cons: SEQUENCE
91:d=5 hl=2 l= 3 prim: OBJECT :organizationName
96:d=5 hl=2 l= 6 prim: PRINTABLESTRING :test
104:d=3 hl=2 l= 11 cons: SET
106:d=4 hl=2 l= 9 cons: SEQUENCE
108:d=5 hl=2 l= 3 prim: OBJECT :countryName
113:d=5 hl=2 l= 2 prim: PRINTABLESTRING :test
117:d=2 hl=2 l= 30 cons: SEQUENCE
119:d=3 hl=2 l= 13 prim: UTCTIME :090605122816Z
134:d=3 hl=2 l= 13 prim: UTCTIME :110605122816Z
149:d=2 hl=3 l= 161 cons: SEQUENCE
152:d=3 hl=2 l= 24 cons: SET
154:d=4 hl=2 l= 22 cons: SEQUENCE
156:d=5 hl=2 l= 3 prim: OBJECT :commonName
161:d=5 hl=2 l= 15 prim: PRINTABLESTRING :test
178:d=3 hl=2 l= 17 cons: SET
180:d=4 hl=2 l= 15 cons: SEQUENCE
182:d=5 hl=2 l= 3 prim: OBJECT :surname
187:d=5 hl=2 l= 8 prim: PRINTABLESTRING :test
197:d=3 hl=2 l= 15 cons: SET
199:d=4 hl=2 l= 13 cons: SEQUENCE
201:d=5 hl=2 l= 3 prim: OBJECT :givenName
206:d=5 hl=2 l= 6 prim: PRINTABLESTRING :test
214:d=3 hl=2 l= 13 cons: SET
216:d=4 hl=2 l= 11 cons: SEQUENCE
218:d=5 hl=2 l= 3 prim: OBJECT :localityName
223:d=5 hl=2 l= 4 prim: PRINTABLESTRING :test
229:d=3 hl=2 l= 15 cons: SET
231:d=4 hl=2 l= 13 cons: SEQUENCE
233:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
238:d=5 hl=2 l= 6 prim: PRINTABLESTRING :Mobile
246:d=3 hl=2 l= 15 cons: SET
248:d=4 hl=2 l= 13 cons: SEQUENCE
250:d=5 hl=2 l= 3 prim: OBJECT :organizationName
255:d=5 hl=2 l= 6 prim: PRINTABLESTRING :test
263:d=3 hl=2 l= 11 cons: SET
265:d=4 hl=2 l= 9 cons: SEQUENCE
267:d=5 hl=2 l= 3 prim: OBJECT :countryName
272:d=5 hl=2 l= 2 prim: PRINTABLESTRING :test
276:d=3 hl=2 l= 35 cons: SET
278:d=4 hl=2 l= 33 cons: SEQUENCE
280:d=5 hl=2 l= 9 prim: OBJECT :emailAddress
291:d=5 hl=2 l= 20 prim: IA5STRING :t...@test.net
313:d=2 hl=4 l= 290 cons: SEQUENCE
317:d=3 hl=2 l= 13 cons: SEQUENCE
319:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
330:d=4 hl=2 l= 0 prim: NULL
332:d=3 hl=4 l= 271 prim: BIT STRING
0000 - 00 30 82 01 0a 02 82 01-01 00 a3 a4 d7 4b e2 be
.0...........K..
0010 - 77 c4 77 52 60 c1 de af-a4 15 40 67 b6 16 31 a5
w.wr`.....@g..1.
0020 - f4 01 a5 79 fe 33 8e 83-d4 87 82 3b aa 82 8e c8
...y.3.....;....
0030 - 34 6c bb f1 e8 c3 96 2f-2e 7e f0 ed e6 a9 d6 e7
4l...../.~......
0040 - a7 5d 7d fe 20 bd 19 45-2c 5d 7d c6 8c 44 40 f4 .]}.
..E,]}...@.
0050 - 84 79 84 11 de 81 c4 d6-63 98 55 a5 4b 3d cf 0a
.y......c.U.K=..
0060 - 95 65 c5 45 4c 48 29 d7-af 95 a1 ae ab f9 6e 44
.e.ELH).......nD
0070 - 9d 8a 70 74 47 b0 dc a5-07 4f b4 67 a3 e2 72 b9
..ptG....O.g..r.
0080 - bb e7 be 43 c5 8a 6b ed-f2 d3 4d 42 cc 9b 02 de
...C..k...MB....
0090 - de 29 c1 70 db df 5b 69-0c 51 eb ca 0d eb 09 52
.).p..[i.Q.....R
00a0 - 9e 6e 99 cf 0b e9 ec 25-53 f0 b0 76 e7 18 3e 84
.n.....%S..v..>.
00b0 - f3 60 95 88 cf 2d 0d 15-da 8b 2d c6 7a 65 2b 8a
.`...-....-.ze+.
00c0 - c7 a5 65 ab fd fc da 01-81 26 4f bb 59 fb fc f1
..e......&O.Y...
00d0 - 5e d8 20 70 9b 18 22 23-f5 d4 38 53 70 8f 60 4d ^.
p.."#..8Sp.`M
00e0 - 3b 29 3f fb d9 25 a1 19-a3 35 00 86 1a bb 81 78
;)?..%...5.....x
00f0 - 5d bc 08 e5 d0 00 21 ac-50 fe 9f ae 7f d3 b4 75
].....!.P......u
0100 - e7 29 e1 8c 42 22 ea 2e-db 9f 02 03 01 00 01
.)..B".........
607:d=2 hl=3 l= 169 cons: cont [ 3 ]
610:d=3 hl=3 l= 166 cons: SEQUENCE
613:d=4 hl=2 l= 31 cons: SEQUENCE
615:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key
Identifier
620:d=5 hl=2 l= 24 prim: OCTET STRING
0000 - 30 16 80 14 a1 79 be c5-4b c1 76 ef 9a f8 a9 c9
0....y..K.v.....
0010 - 90 2f ac 6b d4 e6 13 21- ./.k...!
646:d=4 hl=2 l= 14 cons: SEQUENCE
648:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
653:d=5 hl=2 l= 1 prim: BOOLEAN :255
656:d=5 hl=2 l= 4 prim: OCTET STRING
0000 - 03 02 06 c0 ....
662:d=4 hl=2 l= 31 cons: SEQUENCE
664:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject
Alternative Name
669:d=5 hl=2 l= 24 prim: OCTET STRING
0000 - 30 16 81 14 66 64 65 70-69 65 72 72 65 40 61 72 0...t...@te
0010 - 6b 6f 6f 6e 2e 6e 65 74- st.net
695:d=4 hl=2 l= 29 cons: SEQUENCE
697:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key
Usage
702:d=5 hl=2 l= 22 prim: OCTET STRING
0000 - 30 14 06 08 2b 06 01 05-05 07 03 04 06 08 2b 06
0...+.........+.
0010 - 01 05 05 07 03 02 ......
726:d=4 hl=2 l= 51 cons: SEQUENCE
728:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution
Points
733:d=5 hl=2 l= 44 prim: OCTET STRING
0000 - 30 2a 30 28 a0 26 a0 24-86 22 68 74 74 70 3a 2f
0*0(.&.$."http:/
0010 - 2f 63 72 6c 2e 61 72 6b-6f 6f 6e 2e 6e 65 74 2f /
crl.test.net/
0020 - 61 72 6b 6f 6f 6e 68 77-2e 63 72 6c testhw.crl
779:d=1 hl=2 l= 13 cons: SEQUENCE
781:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
792:d=2 hl=2 l= 0 prim: NULL
794:d=1 hl=4 l= 257 prim: BIT STRING
0000 - 00 0e d0 4c 77 d8 52 91-69 35 83 84 2c d3 74 66
...Lw.R.i5..,.tf
0010 - 50 b7 4e 6b a2 e3 58 37-72 ef 4c 46 4d ac da ab
P.Nk..X7r.LFM...
0020 - 96 36 cf 6d d0 c3 32 85-45 5c 1a bd 73 4c e1 af
.6.m..2.E\..sL..
0030 - e1 88 8d ec d2 69 4f be-9c 94 c8 68 1d bd 48 08
.....iO....h..H.
0040 - 85 e1 b9 7e 87 9e 25 be-25 6c 84 81 ea 42 07 7e
...~..%.%l...B.~
0050 - 7c 39 18 0e 73 5e 23 11-23 a7 70 01 cf 61 8f 8b
|9..s^#.#.p..a..
0060 - d5 42 a0 f6 f3 3d 44 ef-b8 21 37 67 1f 9e 0e 4e
.B...=D..!7g...N
0070 - ce 6c f2 d8 90 02 95 38-61 f6 df 27 5b 4f 65 87
.l.....8a..'[Oe.
0080 - f3 6b 7a ce d0 f9 f4 41-c4 c5 af be 39 76 37 36
.kz....A....9v76
0090 - ab c6 c9 b6 0a e7 37 73-b7 43 6a 46 f8 23 a7 39
......7s.CjF.#.9
00a0 - fd 12 d8 89 9c f5 3d 24-d5 95 03 89 9a 87 3f 62
......=$......?b
00b0 - ad 19 8e 94 ac ba 93 71-33 5a f3 bc 48 a3 23 51
.......q3Z..H.#Q
00c0 - da d2 54 99 87 fc 9a 5c-44 c2 64 4a 70 1f cc 2d
..T....\D.dJp..-
00d0 - 29 80 c0 f2 9d a5 e7 9f-e3 c2 cf 22 2f bb ca 6a
).........."/..j
00e0 - 67 b6 0e 6b d0 be 3c 56-70 08 c5 3b b5 53 df f6
g..k..<Vp..;.S..
00f0 - 6c 17 c1 07 69 bf 9a fb-4c f5 d1 d9 b7 38 f0 6b
l...i...L....8.k
0100 - 1d
