Re: [openssl-users] Combining certificate and key in PEM format into a P12 file without knowing the key password?
Hi, On Tue, Feb 20, 2018 at 01:27:51PM +, Viktor Dukhovni wrote: > > In the commonly accepted variants of PKCS#12, private key and all the > > certificates are encrypted with the same password. PKCS#12 with > > different password for private key and certificates is not widely > > supported. > Do any of the PKCS#12 key derivation functions implement the same > password -> key algorithm as is used in OpenSSL's PEM password to > key mapping for private keys? I suspect that might be another > problem area. Uh... Good point. Didn't have that on the radar actually. Thanks! Cheers, Toby. -- We're Germans and we use Unix. That's a combination of two demographic groups known to have no sense of humour whatsoever. ---Hanno Mueller in de.comp.os.unix.programming smime.p7s Description: S/MIME cryptographic signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Combining certificate and key in PEM format into a P12 file without knowing the key password?
Hi, On Wed, Feb 21, 2018 at 01:04:17AM +0900, Frank Migge wrote: > >> the question remains: Is there a way to reuse an already-encrypted privkey? > I'd say yes it *could* work, but not with OpenSSL API functions. You'd > have to roll your own code for the PKCS12 creation. > OpenSSL's PKCS12_create() function expects an unencrypted EVP_PKEY > object. But, internally, that key is turned into a encrypted PKCS8 > structure, as expected by the PKCS8ShroudedKeyBag type defined in RFC-7292. That's about what I thought I figured out, yeah. :) > Thats why I think it may be possible to experiment and modify code such > as in crypto/pkcs12/p12_crt.c, trying to pass-through that already > encrypted PKCS8 key "as-is" straight into the pkcs8ShroudedKeyBag > object. If your key is a file in PEM format, you'd need to get that into > an internal structure first (more coding), I don't think there is a > simple API import (without decryption). > If you manage to successfully built that PKCS12, you'd run into trouble > for decoding, which probably fails for all known software. They all > expect to be able to read the private key, when in your case it needs > saving to a file somewhere for further handling, or for entering that > second key-specific password. You'd again have to code your own PKCS12 > unpack program, just for this specific use case. > I may be wrong but to me it looks doable, just a *lot* of work. ... and that, unfortunately, is about what I concluded as well. Bummer. ;-) But thanks a lot for your thoughts (also to Jakob and Viktor)! :) Cheers, Toby. -- To the systems programmer, users and applications serve only to provide a test load. smime.p7s Description: S/MIME cryptographic signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Combining certificate and key in PEM format into a P12 file without knowing the key password?
Hi, On Tue, Feb 20, 2018 at 12:23:14PM +0100, Jakob Bohm wrote: > >Googling does not reveal much useful information, unfortunately, and so far > >we > >have been unsuccessfully diving into PKCS12/8/5 specs. I don't really see a > >reason why it should not be possible, but of course that doesn't mean it is. > >:) > In the commonly accepted variants of PKCS#12, private key and all the > certificates are encrypted with the same password. PKCS#12 with > different password for private key and certificates is not widely > supported. I see. > In the concatenated PEM format, only the private key is encrypted, but > not the certificates. Yep. > So to convert from concatenated PEM format to PKCS#12, even if the > encrypted private key could be kept without decrypting the private > key, the password for the private key is still needed to encrypt > the certificates with the same password. ... iff you need to retain wide-spread compatibility. So if that is not necessary, the question remains: Is there a way to reuse an already-encrypted privkey? THX & Cheers, Toby. -- I know that you believe that you understood what you think I said, but I am not sure you realize that what you heard is not what I meant. smime.p7s Description: S/MIME cryptographic signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Combining certificate and key in PEM format into a P12 file without knowing the key password?
Hi, I was wondering whether it was possible somehow to take a certificate and an enciphered private key, both in .pem format, and combine them into a PKCS12 structure without knowing the key passphrase? Googling does not reveal much useful information, unfortunately, and so far we have been unsuccessfully diving into PKCS12/8/5 specs. I don't really see a reason why it should not be possible, but of course that doesn't mean it is. :) THX & Cheers, Toby. -- I am Gates of Borg. Resistance is futile. You will be assimilated. >From now on, you will finance... us. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users