Re: OpenSSL 3.0.2 PKCS12_parse Failure
How do you load the legacy provider? Into which library context? It needs to be loaded into the default (NULL) library context for the PKCS12_parse() function. The workaround would be to not use the certificate/key pair for the server in the PKCS12 format but in the PEM format with separate key and certificate files. Tomas Mraz On Fri, 2022-04-01 at 18:14 +, vchiliquinga--- via openssl-users wrote: > Hello, > > Connection between a Openssl 3.0.2 server and a 1.1.1g client is > proving to be unsuccessful. > > According to the logs collected we seem to be having an issue with > the loading of the legacy providers. > We are loading both the default and legacy providers programmatically > as per the steps outlined in the Wiki for OpenSSL 3.0 – 6.2 > Providers. > > We are seeing the following error.. > > error:0308010C:digital envelope > routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:3 > 46:Global default library context, Algorithm (RC2-40-CBC : 0), > Properties () > PKCS12_parse() failed = 183. (Using GetLastError from > errhandlingapi.h, the 183 error code is obtained) > > Worth mentioning that we are only seeing this issue occur when the > server is a Windows 2012 server. > > Thank you, > Victor C. -- Tomáš Mráz, OpenSSL
RE: OpenSSL 3.0.2 PKCS12_parse Failure
Hello, Seems our email system scrubbed the response to my question because it was a link. Could I ask the response be sent to the follow email instead, chiliquing...@outlook.com Thanks! Message: 3 Date: Fri, 1 Apr 2022 18:14:38 + From: To: Cc: Subject: OpenSSL 3.0.2 PKCS12_parse Failure Message-ID: Content-Type: text/plain; charset="us-ascii" Hello, Connection between a Openssl 3.0.2 server and a 1.1.1g client is proving to be unsuccessful. According to the logs collected we seem to be having an issue with the loading of the legacy providers. We are loading both the default and legacy providers programmatically as per the steps outlined in the Wiki for OpenSSL 3.0 - 6.2 Providers. We are seeing the following error.. error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () PKCS12_parse() failed = 183. (Using GetLastError from errhandlingapi.h, the 183 error code is obtained) Worth mentioning that we are only seeing this issue occur when the server is a Windows 2012 server. Thank you, Victor C. -- next part -- An HTML attachment was scrubbed... URL: <https://urldefense.com/v3/__https://mta.openssl.org/pipermail/openssl-users/attachments/20220401/988f73e0/attachment-0001.htm__;!!AQegZw!MZ2i2Xgng7mOuuFsB5j_L60pesgQesfdJqdd6BlA-4p5w8ypqFLaNvU50ChnH_A9$ > --
OpenSSL 3.0.2 PKCS12_parse Failure
Hello, Connection between a Openssl 3.0.2 server and a 1.1.1g client is proving to be unsuccessful. According to the logs collected we seem to be having an issue with the loading of the legacy providers. We are loading both the default and legacy providers programmatically as per the steps outlined in the Wiki for OpenSSL 3.0 - 6.2 Providers. We are seeing the following error.. error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () PKCS12_parse() failed = 183. (Using GetLastError from errhandlingapi.h, the 183 error code is obtained) Worth mentioning that we are only seeing this issue occur when the server is a Windows 2012 server. Thank you, Victor C.
query on api PKCS12_parse()
Hello, I am using the api PKCS12_parse for creating the private key and certs. When I send a wrong password to the API, my process crashes in the call PKCS12_parse(). The same API works fine when I pass the correct passwd. Can someone please help to send some clues to resolve/debug this issue. p12 = d2i_PKCS12_fp(fp, NULL); PKCS12_parse(p12, passwd, , , )) Regards Simon
PKCS12_parse produces ca stack in reverse order
If one naively uses PKCS12_parse to extract key, certificate, and certificate chain, and then iterates through the STACK_OF(X509) calling SSL_CTX_add_extra_chain_cert (starting at sk_X509_value(ca, 0)) then the chain will be in the opposite order to what's in the PKCS#12 file. That seems consistent with what the code in crypto/pkcs12/p12_kiss.c is saying: having constructed ocerts from the file, it iterates with a loop while ((x = sk_X509_pop(ocerts))) doing if (!sk_X509_push(*ca, x)) So (IIUC) the order's exactly reversed. Is that behaviour a bug or a feature? (Given that it's presumably always been that way, I guess it's a feature?) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Freeing memory allocated during PKCS12_parse
Hi, What's the correct way of freeing the memory allocated by a call to: int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) Assuming ca is non-null? Thanks, Richard.
PKCS12_parse() behavior change in 1.0.1
Hi, The behavior of this function in openssl 1.0.1 seems changed (compared with 0.9.8d). In the early release, the user key parameter could be NULL if only the user cert was interested. e.g. PKCS12_parse(p12, password, NULL, cert, NULL) used to return the cert. In 1.0.1, both the key and the cert parameter have to be non-NULL (may not be initialized though), Otherwise the cert will not be returned. See code in evp_pbe.c: 133 while ((x = sk_X509_pop(ocerts))) 134 { 135 if (pkey *pkey cert !*cert) 136 { 137 if (X509_check_private_key(x, *pkey)) 138 { 139 *cert = x; == cert is only returned when both pkey and cert are not NULL 140 x = NULL; 141 } 142 } Is this change intended or a bug? Thanks, -binlu
PKCS12_parse() in multi-threads, heap is corrupt
Hi, I wrote a simple pkcs12 demo(under Windows), it just read from a PKCS12 file and got private key and certificate. If I use single thread, it works fine. If I use multi-thread, it works fine for a while ,then popups an error dialogue heap is corrupt.If I debug it in Visual Studio,it points to PKCS12_parse() . If I use EnterCriticalSection and LeaveCriticalSection with multi-thread, it works fine too, but as you know, the effect is as same as single thread does. So I want to know , what shared resource is protected by CriticalSection? Is PKCS12_parse() not thread-safe? Can it be executed in multi-threads without mutex? Thank you in advance. Here is the source code. === #include stdio.h #include stdlib.h #include string.h #include io.h #include windows.h #include fcntl.h #include sys/stat.h #include openssl/pkcs12.h char p12file[256]=C:/test/ABCD.p12; char p12pswd[10]=123456; unsigned char *p12buf = NULL; int p12buflen = 0; #define N 30 // amount of threads #define M 20 // amount of executions per thread /* read the content from a PKCS12 file */ int Load_File(char * filename, unsigned char *pbuf, int * plen) { int fd = -1; struct stat stat_buf; int len=0,count=0,size=0; if ((fd = open(filename, O_RDONLY|O_BINARY, S_IREAD)) 0) { return 1; } if (stat(filename, stat_buf) != 0) { close(fd); return 1; } len = stat_buf.st_size; if (pbuf == NULL) { *plen = len; } else { count=0; while (count len) { size = read(fd, pbuf + count, len - count); if (size = 0) { close(fd); if (pbuf != NULL) free(pbuf); return 1; } count += size; } *plen = len; } close(fd); return 0; } int pkcs12test(unsigned char *p12buf, int p12buflen, unsigned char *p12pswd) { PKCS12 *p12; X509 *cert; EVP_PKEY *prvkey; int len; char buf[4096]; int i=0; char desc[1000]; OpenSSL_add_all_algorithms(); if ((p12buf==NULL)||(p12buflen=0)) { printf(parameter error\n); return -1; } p12 = d2i_PKCS12(NULL,(const unsigned char **)p12buf,p12buflen); if(p12 == NULL) { printf(d2i_PKCS12 error\n); return -1; } if(PKCS12_parse(p12,p12pswd,prvkey,cert,NULL)!=1) { if (p12!=NULL) { PKCS12_free(p12); p12=NULL; } printf(PKCS12_parse error\n); return -1; } PKCS12_free(p12); p12=NULL; return 0; } typedef struct _param{ int threadidx; int type; } THREADPARAM; DWORD WINAPI ThreadProc( LPVOID param ) { THREADPARAM *pa; int i = 0; int ret = 0; pa = (THREADPARAM *)param; printf([%d]thread BEGIN\n,pa-threadidx); for (i=0;iM;i++) { ret = pkcs12test(p12buf,p12buflen,p12pswd); if (ret == 0) { printf(pkcs12test success[%d_%d]\n,pa-threadidx,i); } else { printf(pkcs12test error[%d_%d]\n,pa-threadidx,i); } } printf([%d]thread END\n,pa-threadidx); _sleep(10*1000); return 0; } void main() { DWORD dwThreadId[N]; HANDLE hThread[N]; THREADPARAM *param[N]; int ret = 0; int i=0,j=0; ret = Load_File(p12file, NULL, p12buflen); if (ret != 0) { return ; } p12buf = (unsigned char *)malloc(p12buflen+1); if (p12buf == NULL) { printf(malloc(%d) fail\n,p12buflen); return ; } ret = Load_File(p12file, p12buf, p12buflen); if (ret != 0) { return ; } for( i=0; iN; i++ ) { param[i] = (THREADPARAM *)malloc(sizeof(THREADPARAM)); if (param[i] == NULL) { printf(malloc fail\n); return ; } param[i]-threadidx = i; param[i]-type = 1; hThread[i] = CreateThread( NULL, 0, ThreadProc, param[i], 0, dwThreadId[i]); if (hThread[i] == NULL) { ExitProcess(i); } } printf(before wait...); WaitForMultipleObjects(N, hThread, TRUE, INFINITE); printf(...end wait\n); _sleep(5*60*1000); for(i=0; iN; i++) { CloseHandle(hThread[i]); if (param[i]!=NULL) { free(param[i]); param[i]=NULL; } } return ; }
Re: PKCS12_parse() in multi-threads, heap is corrupt
On Sun, Dec 11, 2011, cellecial wrote: Hi, I wrote a simple pkcs12 demo(under Windows), it just read from a PKCS12 file and got private key and certificate. If I use single thread, it works fine. If I use multi-thread, it works fine for a while ,then popups an error dialogue heap is corrupt.If I debug it in Visual Studio,it points to PKCS12_parse() . If I use EnterCriticalSection and LeaveCriticalSection with multi-thread, it works fine too, but as you know, the effect is as same as single thread does. So I want to know , what shared resource is protected by CriticalSection? Is PKCS12_parse() not thread-safe? Can it be executed in multi-threads without mutex? int pkcs12test(unsigned char *p12buf, int p12buflen, unsigned char *p12pswd) { PKCS12 *p12; X509 *cert; EVP_PKEY *prvkey; int len; char buf[4096]; int i=0; char desc[1000]; OpenSSL_add_all_algorithms(); At least one problem is the above line. You should call OpenSSL_add_all_algorithm() *once* before starting threads. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse() in multi-threads, heap is corrupt
Thank you. I add OpenSSL_add_all_algorithms(); in main function and include openssl/evp.h,but it still pops error dialogue after a while. Some threads can end well, others are not so lucky. On Sun, Dec 11, 2011 at 8:14 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Sun, Dec 11, 2011, cellecial wrote: Hi, I wrote a simple pkcs12 demo(under Windows), it just read from a PKCS12 file and got private key and certificate. If I use single thread, it works fine. If I use multi-thread, it works fine for a while ,then popups an error dialogue heap is corrupt.If I debug it in Visual Studio,it points to PKCS12_parse() . If I use EnterCriticalSection and LeaveCriticalSection with multi-thread, it works fine too, but as you know, the effect is as same as single thread does. So I want to know , what shared resource is protected by CriticalSection? Is PKCS12_parse() not thread-safe? Can it be executed in multi-threads without mutex? int pkcs12test(unsigned char *p12buf, int p12buflen, unsigned char *p12pswd) { PKCS12 *p12; X509 *cert; EVP_PKEY *prvkey; int len; char buf[4096]; int i=0; char desc[1000]; OpenSSL_add_all_algorithms(); At least one problem is the above line. You should call OpenSSL_add_all_algorithm() *once* before starting threads. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse() in multi-threads, heap is corrupt
On Sun, Dec 11, 2011, cellecial wrote: Thank you. I add OpenSSL_add_all_algorithms(); in main function and include openssl/evp.h,but it still pops error dialogue after a while. Some threads can end well, others are not so lucky. Have you set the locking callbacks? You need to set those to make OpenSSL thread safe. See the FAQ and documentation for more details. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse() in multi-threads, heap is corrupt
Thank you and sorry for my last two posts without reading FAQ carefully first. Now I read FAQ and the example of the call functions. It seems I need more time to understand it and do some examples by myself. Anywise I should complete my work asap, so I add thread_setup() and thread_cleanup() and win32_locking_callback() to my code,It still fails in multi-thread mode. I think may be my openssl wasn't configured with thread support , but Configure instruction said, *# [no-]threads [don't] try to create a library that is suitable for # multithreaded applications (default is threads if we # know how to do it)* I guess that means openssl on windows is supporting thread defaultly. And I found snippet in opensslconf.h *#ifndef OPENSSL_THREADS # define OPENSSL_THREADS #endif *It seems like switching on the thread support. Is there anything I can do to make it work? On Sun, Dec 11, 2011 at 8:51 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Sun, Dec 11, 2011, cellecial wrote: Thank you. I add OpenSSL_add_all_algorithms(); in main function and include openssl/evp.h,but it still pops error dialogue after a while. Some threads can end well, others are not so lucky. Have you set the locking callbacks? You need to set those to make OpenSSL thread safe. See the FAQ and documentation for more details. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
PKCS12_parse
Hello, I am maintaining a piece of code that calls PKCS12_parse. It worked with an older version of openssl (0.9.8m), but it is not working with version 1.0.0 Here are some clips: X509 *cert = NULL; BIO*in = NULL; STACK_OF(X509) *ca_certs = NULL; PKCS12 *p12 = NULL; EVP_PKEY *pkey = NULL; charpass[PEM_BUFSIZE]; strcpy(pass, exportpw.c_str()); // I verified that the password is correct p12 = d2i_PKCS12_bio(in, NULL); if (!(PKCS12_parse(p12, pass, pkey, cert, ca_certs))) I created the pkcs12 file with: openssl req -new -x509 -days 365 -keyout new.pem -out new.pem openssl pkcs12 -export -in new.pem -out new.p12 -name My certificate I read in two places in the net that this code was fixed for version 1 and above. Does anyone have any information on this? Thank you, Dirce __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse
On Tue, Nov 15, 2011, dricha...@globalcerts.net wrote: Hello, I am maintaining a piece of code that calls PKCS12_parse. It worked with an older version of openssl (0.9.8m), but it is not working with version 1.0.0 Here are some clips: X509 *cert = NULL; BIO*in = NULL; STACK_OF(X509) *ca_certs = NULL; PKCS12 *p12 = NULL; EVP_PKEY *pkey = NULL; charpass[PEM_BUFSIZE]; strcpy(pass, exportpw.c_str()); // I verified that the password is correct p12 = d2i_PKCS12_bio(in, NULL); if (!(PKCS12_parse(p12, pass, pkey, cert, ca_certs))) I created the pkcs12 file with: openssl req -new -x509 -days 365 -keyout new.pem -out new.pem openssl pkcs12 -export -in new.pem -out new.p12 -name My certificate I read in two places in the net that this code was fixed for version 1 and above. Does anyone have any information on this? What error message do you get: see FAQ. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse
I made some progress. The call to PKCS12_parse succeeded, but the pkey returned was NULL. Please see below where I indicated how I created this .p12 file. I wonder why the PKCS12_parse command can't read its private key. I keep suspecting on permissions, but they seem ok - this app is running as cgi. Any suggestions are appreciated. Dirce Hello, I am maintaining a piece of code that calls PKCS12_parse. It worked with an older version of openssl (0.9.8m), but it is not working with version 1.0.0 Here are some clips: X509 *cert = NULL; BIO*in = NULL; STACK_OF(X509) *ca_certs = NULL; PKCS12 *p12 = NULL; EVP_PKEY *pkey = NULL; charpass[PEM_BUFSIZE]; strcpy(pass, exportpw.c_str()); // I verified that the password is correct p12 = d2i_PKCS12_bio(in, NULL); if (!(PKCS12_parse(p12, pass, pkey, cert, ca_certs))) I created the pkcs12 file with: openssl req -new -x509 -days 365 -keyout new.pem -out new.pem openssl pkcs12 -export -in new.pem -out new.p12 -name My certificate I read in two places in the net that this code was fixed for version 1 and above. Does anyone have any information on this? Thank you, Dirce __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse
Sorry, but this is just getting more interesting: it seems that the call fails when I type the right password (within the app, not in my sample). It is when I typed the wrong password that the call succeeded, but returned the empty key... Will keep investigating... Dirce I made some progress. The call to PKCS12_parse succeeded, but the pkey returned was NULL. Please see below where I indicated how I created this .p12 file. I wonder why the PKCS12_parse command can't read its private key. I keep suspecting on permissions, but they seem ok - this app is running as cgi. Any suggestions are appreciated. Dirce Hello, I am maintaining a piece of code that calls PKCS12_parse. It worked with an older version of openssl (0.9.8m), but it is not working with version 1.0.0 Here are some clips: X509 *cert = NULL; BIO*in = NULL; STACK_OF(X509) *ca_certs = NULL; PKCS12 *p12 = NULL; EVP_PKEY *pkey = NULL; charpass[PEM_BUFSIZE]; strcpy(pass, exportpw.c_str()); // I verified that the password is correct p12 = d2i_PKCS12_bio(in, NULL); if (!(PKCS12_parse(p12, pass, pkey, cert, ca_certs))) I created the pkcs12 file with: openssl req -new -x509 -days 365 -keyout new.pem -out new.pem openssl pkcs12 -export -in new.pem -out new.p12 -name My certificate I read in two places in the net that this code was fixed for version 1 and above. Does anyone have any information on this? Thank you, Dirce __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse / PKCS12_create issue
Hi Dave, Thank you for the detailed explanation and the suggestions. It really helped to solve the issue. I did use openssl tool to avoid the problem. I tried clearing the keyid and friendly name in cert using x509__set1 fn's before passing it to PKCS12_create and it also worked fine. I was not aware of these api's to clear the attribute fields. So another option i tried was by creating my own PKCS12 parse function and removed the keyid attribute setting in cert. Your assumption about my code snippet is right. I just provided the relevant functions that are actually from two different functions in my code. So fp handling is fine. Also thanks for pointing out the discrepancy in encryption algorithm passed to PKCS12_create function. -Shafeek On Tue, Feb 1, 2011 at 3:01 AM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of Muhammed Shafeek Sent: Wednesday, 26 January, 2011 12:30 I've a program that extracts private key and cert from the input pfx file loaded into the system and then create a p12 file out of this private key and cert using a different password to add it to a local keystore. You know you could use the commandline utility to do this. (Given it is present, or can be installed, and accessible; and you can write some temporary files, but if you can write an output file you can probably do temporaries.) /*code to extract key*/ p12Key = d2i_PKCS12_fp(fp, NULL); PKCS12_parse(p12Key, pass, pkey, NULL, NULL); /*code to extract cert*/ p12Cert = d2i_PKCS12_fp(fp, NULL); PKCS12_parse(p12Cert, pass, NULL, pCert, NULL); I assume you've omitted some file-management code here, since two d2i's from the same file open (fp) don't work. And you don't need them; you could call PKCS12_parse twice on a single (decoded) p12 object. But you shouldn't; one call to PKCS12_parse can get both key and cert, and should since they logically (must) go together. And you should definitely check for error(s), but I'll optimistically assume that was just omitted for posting. /*creating p12 from the extracted key and cert*/ p12 = PKCS12_create(password, name, pkey, pCert, NULL, NID_pbe_WithSHA1And40BitRC4,NID_pbe_WithSHA1And3_Key_TripleDES_CBC,0, 0, 0); It makes no security sense to encrypt the key with RC4-40, which nowadays is trivially brute-forced (even in the days of ITAR when PKCS12 was established, it was pretty easy), but the cert which doesn't really need privacy with TripleDES. The defaults, which are the other way, would be much better. I observe the following things: 1. The attributes ptr in pkey extracted using PKCS12_parse is null. Note that the input pfx does have local Key ID and friendly name. The cert extracted using PKCS12_parse have local Key ID attribute which is same as in input pfx file. Yes, p12_kiss.c returns alias=friendly and keyid for the cert and no attributes for the key. The man page says Attributes currently cannot be store in the private key EVP_PKEY structure. although that appears to be out of date. Perhaps it should, although friendly and keyid should be the same for key and cert if used at all, so getting them on the cert should probably usually be enough. 2. The p12 file created using PKCS12_create has a local KeyID attribute for private key and is different from that of cert. I assume you mean PKCS12_create plus i2d_PKCS12_fp or similar, since PKCS12_create by itself only creates a memory structure. Can any one please explain the reason for this? Is there any issue in my code? or Is this an openssl issue? On the cert, p12_crt.c uses any friendly=alias and keyid in the cert object, and ADDS friendly from caller if not null and keyid = SHA1 of cert (if doing both keycert). This appears to violate PKCS9 (at least the one I have) which says single-valued. And isn't mentioned on the man page. (On the key, it just does friendly from caller and keyid = SHA1, but also MSCSPname and recently LocalKeySet from key.attributes!) Depending on the software that reads this, if it assumes the PKCS9 single-value rule as it apparently has a right to, which values get used/displayed/whatever for the cert may be arbitrary or even unpredictable. You probably should X509_alias_set1(,NULL,0) and similarly for keyid on your cert before giving it to PKCS12_create. Alternatively, but more work, build your own exactly as you want with the PKCS12_ PKCS7_ PKCS8_ etc. primitives. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: PKCS12_parse / PKCS12_create issue
From: owner-openssl-us...@openssl.org On Behalf Of Muhammed Shafeek Sent: Wednesday, 26 January, 2011 12:30 I've a program that extracts private key and cert from the input pfx file loaded into the system and then create a p12 file out of this private key and cert using a different password to add it to a local keystore. You know you could use the commandline utility to do this. (Given it is present, or can be installed, and accessible; and you can write some temporary files, but if you can write an output file you can probably do temporaries.) /*code to extract key*/ p12Key = d2i_PKCS12_fp(fp, NULL); PKCS12_parse(p12Key, pass, pkey, NULL, NULL); /*code to extract cert*/ p12Cert = d2i_PKCS12_fp(fp, NULL); PKCS12_parse(p12Cert, pass, NULL, pCert, NULL); I assume you've omitted some file-management code here, since two d2i's from the same file open (fp) don't work. And you don't need them; you could call PKCS12_parse twice on a single (decoded) p12 object. But you shouldn't; one call to PKCS12_parse can get both key and cert, and should since they logically (must) go together. And you should definitely check for error(s), but I'll optimistically assume that was just omitted for posting. /*creating p12 from the extracted key and cert*/ p12 = PKCS12_create(password, name, pkey, pCert, NULL, NID_pbe_WithSHA1And40BitRC4,NID_pbe_WithSHA1And3_Key_TripleDES_CBC,0, 0, 0); It makes no security sense to encrypt the key with RC4-40, which nowadays is trivially brute-forced (even in the days of ITAR when PKCS12 was established, it was pretty easy), but the cert which doesn't really need privacy with TripleDES. The defaults, which are the other way, would be much better. I observe the following things: 1. The attributes ptr in pkey extracted using PKCS12_parse is null. Note that the input pfx does have local Key ID and friendly name. The cert extracted using PKCS12_parse have local Key ID attribute which is same as in input pfx file. Yes, p12_kiss.c returns alias=friendly and keyid for the cert and no attributes for the key. The man page says Attributes currently cannot be store in the private key EVP_PKEY structure. although that appears to be out of date. Perhaps it should, although friendly and keyid should be the same for key and cert if used at all, so getting them on the cert should probably usually be enough. 2. The p12 file created using PKCS12_create has a local KeyID attribute for private key and is different from that of cert. I assume you mean PKCS12_create plus i2d_PKCS12_fp or similar, since PKCS12_create by itself only creates a memory structure. Can any one please explain the reason for this? Is there any issue in my code? or Is this an openssl issue? On the cert, p12_crt.c uses any friendly=alias and keyid in the cert object, and ADDS friendly from caller if not null and keyid = SHA1 of cert (if doing both keycert). This appears to violate PKCS9 (at least the one I have) which says single-valued. And isn't mentioned on the man page. (On the key, it just does friendly from caller and keyid = SHA1, but also MSCSPname and recently LocalKeySet from key.attributes!) Depending on the software that reads this, if it assumes the PKCS9 single-value rule as it apparently has a right to, which values get used/displayed/whatever for the cert may be arbitrary or even unpredictable. You probably should X509_alias_set1(,NULL,0) and similarly for keyid on your cert before giving it to PKCS12_create. Alternatively, but more work, build your own exactly as you want with the PKCS12_ PKCS7_ PKCS8_ etc. primitives. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
PKCS12_parse / PKCS12_create issue
Hi, I've a program that extracts private key and cert from the input pfx file loaded into the system and then create a p12 file out of this private key and cert using a different password to add it to a local keystore. /*code to extract key*/ p12Key = d2i_PKCS12_fp(fp, NULL); PKCS12_parse(p12Key, pass, pkey, NULL, NULL); /*code to extract cert*/ p12Cert = d2i_PKCS12_fp(fp, NULL); PKCS12_parse(p12Cert, pass, NULL, pCert, NULL); /*creating p12 from the extracted key and cert*/ p12 = PKCS12_create(password, name, pkey, pCert, NULL,NID_pbe_WithSHA1And40BitRC4,NID_pbe_WithSHA1And3_Key_TripleDES_CBC,0, 0, 0); I observe the following things: 1. The attributes ptr in pkey extracted using PKCS12_parse is null. Note that the input pfx does have local Key ID and friendly name. The cert extracted using PKCS12_parse have local Key ID attribute which is same as in input pfx file. 2. The p12 file created using PKCS12_create has a local KeyID attribute for private key and is different from that of cert. Can any one please explain the reason for this? Is there any issue in my code? or Is this an openssl issue? Thanks Shafeek
Re: PKCS12_parse() SEGV.
On Sun, 2010-05-09 at 12:12 +0100, David Woodhouse wrote: Although that's OK for my purposes, I think it's actually a bug. The man page for PKCS12_parse() says that *ca can be a valid stack, in which case additional certificates are appended to *ca. It _doesn't_ say oh, but if parsing fails because the user fat-fingered the passphrase, we'll completely free your carefully pre-generated stack in *ca and set *ca to NULL Surely it shouldn't be freeing the _original_ contents of the stack which was passed in *ca? Those should be preserved. My test was against 1.0.0-beta4, from Fedora 12. It looks like this has since been fixed. In older versions of OpenSSL (1.0.0-beta2), the failure mode is actually ... we'll free your carefully pre-generated stack in *ca but for extra fun, we leave *ca pointing to the now-freed memory. Which is the bug that I tripped over. We should either backport the whole fix to the 0.9.8 branch, or at the very least do this: --- crypto/pkcs12/p12_kiss.c5 Nov 2008 18:36:46 - 1.20.2.1 +++ crypto/pkcs12/p12_kiss.c9 May 2010 12:27:42 - @@ -134,7 +134,10 @@ int PKCS12_parse(PKCS12 *p12, const char if (pkey *pkey) EVP_PKEY_free(*pkey); if (cert *cert) X509_free(*cert); - if (ca) sk_X509_pop_free(*ca, X509_free); + if (ca) { + sk_X509_pop_free(*ca, X509_free); + *ca = NULL; + } return 0; } -- David WoodhouseOpen Source Technology Centre david.woodho...@intel.com Intel Corporation __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
PKCS12_parse() SEGV.
With OpenSSL 0.9.8n this test program segfaults the second time it tries to parse the PKCS#12 file. It was fixed for OpenSSL 1.0.0 by this commit: http://cvs.openssl.org/chngview?cn=17957 Starting program: /home/dwmw2/p12test .cert/certificate.p12 Enter PKCS#12 passphrase: 140737353934504:error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure:p12_kiss.c:121: Parse PKCS#12 failed (wrong passphrase?) Enter PKCS#12 passphrase: Program received signal SIGSEGV, Segmentation fault. __libc_free (mem=0x31) at malloc.c:3709 3709 if (chunk_is_mmapped(p)) /* release mmapped memory. */ (gdb) bt #0 __libc_free (mem=0x31) at malloc.c:3709 #1 0x00417d5d in CRYPTO_free () #2 0x0044396d in ASN1_STRING_free () #3 0x0043f2cd in ASN1_primitive_free () #4 0x0043f69f in ASN1_template_free () #5 0x0043f586 in asn1_item_combine_free () #6 0x0043f6d5 in ASN1_item_free () #7 0x0042e2b4 in sk_pop_free () #8 0x0045d643 in PKCS12_parse () #9 0x00401c69 in main () My dirty workaround for now is just to add a deliberate memory leak in my application just before the 'goto retry': #if OPENSSL_VERSION_NUMBER 0x1002 ca = sk_X509_new_null(); #endif Any better suggestions? I still stand by everything I said in http://www.advogato.org/person/dwmw2/diary/205.html about loading certificates, FWIW. -- dwmw2 #include stdio.h #include openssl/ssl.h #include openssl/err.h #include openssl/engine.h #include openssl/evp.h #include openssl/pkcs12.h #include openssl/x509v3.h int main(int argc, char **argv) { FILE *f; EVP_PKEY *pkey = NULL; char pass[PEM_BUFSIZE]; X509 *cert = NULL; PKCS12 *p12; STACK_OF(X509) *ca; SSL_library_init(); ERR_clear_error(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); if (argc != 2) { fprintf(stderr, Need PKCS#12 filename\n); exit(1); }; f = fopen(argv[1], r); if (!f) { perror(fopen); exit(1); } p12 = d2i_PKCS12_fp(f, NULL); if (!p12) { fprintf(stderr, d2i_PKCS12_fp failed\n); exit(1); } ca = sk_X509_new_null(); retry: if (EVP_read_pw_string(pass, PEM_BUFSIZE, Enter PKCS#12 passphrase:, 0)) { fprintf(stderr, Failed to obtain passphrase\n); exit(1); } if (!PKCS12_parse(p12, pass, pkey, cert, ca)) { unsigned long err = ERR_peek_error(); ERR_print_errors_fp(stderr); if (ERR_GET_LIB(err) == ERR_LIB_PKCS12 ERR_GET_FUNC(err) == PKCS12_F_PKCS12_PARSE ERR_GET_REASON(err) == PKCS12_R_MAC_VERIFY_FAILURE) { fprintf(stderr, Parse PKCS#12 failed (wrong passphrase?)\n); goto retry; } fprintf(stderr, Failed\n); exit(1); } printf(Succeeded\n); return 0; }
Re: PKCS12_parse() SEGV.
On Fri, May 07, 2010, David Woodhouse wrote: With OpenSSL 0.9.8n this test program segfaults the second time it tries to parse the PKCS#12 file. It was fixed for OpenSSL 1.0.0 by this commit: http://cvs.openssl.org/chngview?cn=17957 Starting program: /home/dwmw2/p12test .cert/certificate.p12 Enter PKCS#12 passphrase: 140737353934504:error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure:p12_kiss.c:121: Parse PKCS#12 failed (wrong passphrase?) Enter PKCS#12 passphrase: Program received signal SIGSEGV, Segmentation fault. __libc_free (mem=0x31) at malloc.c:3709 3709if (chunk_is_mmapped(p)) /* release mmapped memory. */ (gdb) bt #0 __libc_free (mem=0x31) at malloc.c:3709 #1 0x00417d5d in CRYPTO_free () #2 0x0044396d in ASN1_STRING_free () #3 0x0043f2cd in ASN1_primitive_free () #4 0x0043f69f in ASN1_template_free () #5 0x0043f586 in asn1_item_combine_free () #6 0x0043f6d5 in ASN1_item_free () #7 0x0042e2b4 in sk_pop_free () #8 0x0045d643 in PKCS12_parse () #9 0x00401c69 in main () My dirty workaround for now is just to add a deliberate memory leak in my application just before the 'goto retry': #if OPENSSL_VERSION_NUMBER 0x1002 ca = sk_X509_new_null(); #endif Any better suggestions? Setting ca to NULL if it fails should work. That should be done in PKCS12_parse() on error. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse() SEGV.
On Fri, 2010-05-07 at 19:24 +0200, Dr. Stephen Henson wrote: Setting ca to NULL if it fails should work. That should be done in PKCS12_parse() on error. AIUI I don't want it to be NULL; I need it to be an empty stack. I need the returned 'extra' certs so that I can work around RT#1942 on the server. -- dwmw2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse() SEGV.
On Fri, May 07, 2010, David Woodhouse wrote: On Fri, 2010-05-07 at 19:24 +0200, Dr. Stephen Henson wrote: Setting ca to NULL if it fails should work. That should be done in PKCS12_parse() on error. AIUI I don't want it to be NULL; I need it to be an empty stack. I need the returned 'extra' certs so that I can work around RT#1942 on the server. If you pass a NULL for the final argument in PKCS12_parse() extra CA certificates are ignored as it has nowhere to put them. If you pass a pointer to a NULL STACK_OF(X509) i.e do: STACK_OF(X509) *ca = NULL; and pass ca it will allocate a stack and put the extra certs in ca. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
PKCS12_parse
Hello, Is there a way to create a PKCS7 certificate from the cert and ca arguments returned from this function: int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca); Given a PKCS12 credential, I need to create a PKCS7 file which includes the CA certificates (root certificate and intermediate certificate) also. thanks, Olivia
PKCS12_parse Issue?
Hello all, I'm trying to run a loop to parse the same p12 multple times to take some metrics. However, after the loop completes twice succesfully, PKCS12_parse fails. Any suggestions as to why this is happening? -Chris while(count 0){ /* Parse the PKCS #12 file with password */ ca = (STACK_OF(X509) *)NULL; if (!PKCS12_parse(p12, password, pkey, cert, ca)) { printf(Error parsing file\n); return -3; } /* Find PKey */ if ( (EVP_PKEY *)NULL == pkey ){ //printf(No private key!\n); } else{ //printf(Private key found!\n); } /* Find Cert */ if ( (X509 *)NULL == cert ){ //printf(No X509!\n); } else{ //printf(X509 found!\n); } /* Find CA */ if ( (STACK_OF(X509) *)NULL == ca ){ //printf(No CA!\n); } else{ //printf(CA found!\n); } count--; EVP_PKEY_free(pkey); X509_free(cert); sk_X509_pop_free(ca, X509_free); }//end while
Re: PKCS12_parse Issue?
On Thu, Jul 10, 2008, Christopher Ivory wrote: Hello all, I'm trying to run a loop to parse the same p12 multple times to take some metrics. However, after the loop completes twice succesfully, PKCS12_parse fails. Any suggestions as to why this is happening? -Chris while(count 0){ /* Parse the PKCS #12 file with password */ ca = (STACK_OF(X509) *)NULL; if (!PKCS12_parse(p12, password, pkey, cert, ca)) { printf(Error parsing file\n); return -3; } /* Find PKey */ if ( (EVP_PKEY *)NULL == pkey ){ //printf(No private key!\n); } else{ //printf(Private key found!\n); } /* Find Cert */ if ( (X509 *)NULL == cert ){ //printf(No X509!\n); } else{ //printf(X509 found!\n); } /* Find CA */ if ( (STACK_OF(X509) *)NULL == ca ){ //printf(No CA!\n); } else{ //printf(CA found!\n); } count--; EVP_PKEY_free(pkey); X509_free(cert); sk_X509_pop_free(ca, X509_free); }//end while Try the FAQ for details of how to get a more meaningful error code. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PKCS12_parse - additional certificates
Hi, int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca); If PKCS12_parse() is successful, the private key will be written to *pkey, the corresponding certificate to *cert and any additional certificates to *ca. 1. What is the use of additional certificates? 2. Whether they should be used as root CA certificates for that domain? If yes, then whether we should add them using SSL_CTX_load_verify_locations() OR SSL_CTX_set_cert_store(). 3. Whether they have any relationship with retrieved private key? Best Regards, Manish Jain GlobalLogic Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
pkcs12_parse problem
Hi all, I've installed openssl 0.9.8a version and I'm using new features from pkcs12_create (cert maybe null). Everytime I call PKCS12_parse it transforms pkey address into 0x0, so it's impossible to recover values from pk12 object. I've searched some example codes and they seem the same as mine, but... For the moment, my code looks like: EVP_PKEY *pkey, *pkey1; pkey = EVP_PKEY_new(); if (EVP_PKEY_assign_RSA(pkey, rsa) == 0) { EVP_PKEY_free(pkey); return NULL; } if ((pk12 = PKCS12_create(pass,clave,pkey,NULL,NULL,0,0,0,0,0)) == NULL) { EVP_PKEY_free(pkey); return NULL; } ... [other things] pkey1 = EVP_PKEY_new(); if (PKCS12_parse(pk12,pass , pkey1,NULL, NULL) != 1) return 1; if ((rsa = EVP_PKEY_get1_RSA(pkey1)) == NULL) return 1; Any idea??? Thanks, Alicia Asín __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Fw: problem in pkcs12_parse
I would be grateful if someone could help me. I have tried to parse the attached pkcs12 file using the code below and openssl 0.9.8a. The PKCS12 file contains a private key, a user certificate and theroot CA certificate used to sign the user certificate. All of them have a localKeyID field, which is the same in the private key and in tha user certificate. CA certificate has a different localKeyID value. Openssl correctly retrieves the private key into "pkey", but in "cert" it places the CA certificate instead of the final user certificate. Finally, in "ca" it does not place anything, so it remains empty. I have tried to use command line commands and when using "pkcs12 -in pkcs12_out.p12 -passin pass:USR_1b4e28ba-2fa1-11d2-883f-b9a761dbe3fb -nodes -clcerts" it returns the two certificates (CA and final) and the private key, whereas when using "pkcs12 -in pkcs12_out.p12 -passin pass:USR_1b4e28ba-2fa1-11d2-883f-b9a761dbe3fb -nodes -cacerts" it does not return any certificate butthe private key! Thanks a lot. /**/ /*** CODE */ /**/ std::ifstream inStream("pkcs12_out.p12", std::ios::in | std::ios::binary);unsigned long length=0;inStream.seekg(0L,std::ios::end);length=inStream.tellg();inStream.seekg(0L,std::ios::beg);data="" char[length];inStream.read(data,length);inStream.close(); BIO *mem;EVP_PKEY *pkey;X509 *cert;STACK_OF(X509) *ca = NULL;PKCS12 *p12;unsigned long error; SSLeay_add_all_algorithms();ERR_load_crypto_strings(); mem = BIO_new_mem_buf(data, length);p12 = d2i_PKCS12_bio(mem, NULL);BIO_free(mem);if (!p12){ std::cout "Error reading PKCS#12 file" std::endl;}if (!PKCS12_parse(p12, "USR_1b4e28ba-2fa1-11d2-883f-b9a761dbe3fb", pkey, cert, ca)){std::cout "Error parsing PKCS#12 file" std::endl;} /**/ /** PKCS12 contents */ /**/ OpenSSL pkcs12 -in pkcs12_out.p12 -passin pass:USR_1b4e28ba-2fa1-11d2-883f-b9a761dbe3fb -nodes MAC verified OKBag Attributes localKeyID: 87 F7 F0 DF 39 3F A1 CE B5 56 D8 BA E8 EC B1 72 BF A7 2D 6F friendlyName: ITO_26adfe3d-165f-3fb2-ad8c-665aa3ec4e0cKey Attributes: No Attributes-BEGIN RSA PRIVATE KEY-MIICXQIBAAKBgQCJFXO9WbjfRxOWvhJfNPbwbndScOF7A7WgO92/EDqfcKjtUniBclgCirk83j8f70/RvI+cUrQNuROzR5ye9duB1ln4yvjkR5xDO0e86WFFDN0Q6gJJtMrfvTM6sV6jzPDCorOIMOh4JQqLNwe7tWrQBqwZW92dSr2AkdQT8CGb1wIDAQABAoGASBHOKpN8HW7JvqupDwLSfK8m7mHIOZtGproyp5uJpn9dYH/GOQ/7c0KphnW1rD1tsm+29NGKNdjCobOZhPzu7Lc5UEwS8qSJVBpErtqC+bSua0Sw3Y9tjXo8sMVI7zklTxsoQ/83YwVCdJPeDa8zMIpF59KTvZmrwMWa4WCG6YECQQDovdXSOpStRKeAEAPyqUFpTD/3Rt3ykGTmBOrvQehmpJ0nzZDyaJJSPvWEvidnRHLCg2RlEPbSvu3b06p737PBAkEAlshuJxrLRXZbNHYxYUfm0Cq8buS+n4PFFwSfMyWQAB+yyZQ8H7jFwhyFT5kEPlUWAmDJpUI0w8Fcks0Kil/VlwJBAOPegUucaVafYjOi+oqKJm3W5sXOz50evHrsk6x+5fAg+XEv9dswgRofZDh8CI412PoStKezDUXXA4D34vH3WsECQAczh19CvlaQ8oYs5urYfkOO5vT848XGi1EwHVJaBuiamvVZqQ1yy68boZpNmpBHjAeNC9RitxZqU7uHI2u8a/0CQQCtSQHnMAesSKe4dL3Sxq79DTo0bwHFWOnd6R0UxrnRGGfHaRGaZp9vOoz9esSCWzZNysXyNx/zzt7Dp1RREnq/-END RSA PRIVATE KEY-Bag Attributes localKeyID: 87 F7 F0 DF 39 3F A1 CE B5 56 D8 BA E8 EC B1 72 BF A7 2D 6F friendlyName: ITO_26adfe3d-165f-3fb2-ad8c-665aa3ec4e0csubject=/O=AXMEDIS/CN=ITO_26adfe3d-165f-3fb2-ad8c-665aa3ec4e0cissuer=/O=AXMEDIS/OU=AXMEDIS AXCS CA-BEGIN CERTIFICATE-MIICTDCCAbWgAwIBAgIEO5rKUzANBgkqhkiG9w0BAQUFADAsMRAwDgYDVQQKEwdBWE1FRElTMRgwFgYDVQQLEw9BWE1FRElTIEFYQ1MgQ0EwHhcNMDYwMTIzMTYxOTExWhcNMDYwMzI0MTYxOTExWjBFMRAwDgYDVQQKEwdBWE1FRElTMTEwLwYDVQQDDChJVE9fMjZhZGZlM2QtMTY1Zi0zZmIyLWFkOGMtNjY1YWEzZWM0ZTBjMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJFXO9WbjfRxOWvhJfNPbwbndScOF7A7WgO92/EDqfcKjtUniBclgCirk83j8f70/RvI+cUrQNuROzR5ye9duB1ln4yvjkR5xDO0e86WFFDN0Q6gJJtMrfvTM6sV6jzPDCorOIMOh4JQqLNwe7tWrQBqwZW92dSr2AkdQT8CGb1wIDAQABo2IwYDAdBgNVHQ4EFgQUh/fw3zk/oc61Vti66Oyxcr+nLW8wHwYDVR0jBBgwFoAUwDYZB63EiJeoXnJvawnr5ebxKVwwEQYJYIZIAYb4QgEBBAQDAgQwMAsGA1UdDwQEAwIDiDANBgkqhkiG9w0BAQUFAAOBgQAkIz6k/t/oCyM3aPUw2aTnC9ckiz0s2qH33ZvKi+nTTgf4XWx3kPTk8g5cICdqm1CCupQwhLh0bIyJE6ENxAs6vPteRbIWG4IkgQyQOtQtC21vImndP+fmJanVnrfxaC4fhwJ6Ie21cAmnDkjUqAdN3ylLDAfzkjLtYD2ITWx53g==-END CERTIFICATE-Bag Attributes localKeyID: C0 36 19 07 AD C4 88 97 A8 5E 72 6F 6B 09 EB E5 E6 F1 29 5C friendlyName: AXMEDIS AXCS CAsubject=/O=AXMEDIS/OU=AXMEDIS AXCS CAissuer=/O=AXMEDIS/OU=AXMEDIS AXCS CA-BEGIN CERTIFICATE-MIICATCCAWqgAwIBAgIBATANBgkqhkiG9w0BAQUFADAsMRAwDgYDVQQKEwdBWE1FRElTMRgwFgYDVQQLEw9BWE1FRElTIEFYQ1MgQ0EwHhcNMDUwODIyMTQxNjI1WhcNMTIwNDE3MTQxNjI2WjAsMRAwDgYDVQQKEwdBWE1FRElTMRgwFgYDVQQLEw9BWE1FRElTIEFYQ1MgQ0EwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBALJZ0tbmJ6doyUvjYWTC2fx52XqrklMUDlvxd1EZdzHW91QNJQnnuf/uCnCm4m1W6S0u3X+Fq6hWALaQifNfa9vzwpjgWEJTXZ8GTmsDkct9MG4KLSDE37TntJqWQL3qJsEK1pw/BQB84lE8
possible bug in PKCS12_parse
I would be grateful if someone could help me. I have tried to parse the attached pkcs12 file using the code below and openssl 0.9.8a. The PKCS12 file contains a private key, the corresponding certificate and a root CA certificate. All of them have a localKeyID field, which is the same in the private key and in its corresponding certificate. CA certificate has a different localKeyID value. Openssl correctly retrieves the private key into "pkey", but in "cert" it places the CA certificate instead of the final user certificate. Finally, in "ca" it does not place anything, so it remains empty. I have tried to use command line commands and when using "pkcs12 -in pkcs12_out.p12 -passin pass:USR_1b4e28ba-2fa1-11d2-883f-b9a761dbe3fb -nodes -clcerts" it returns the two certificates (CA and final) and the private key, whereas when using "pkcs12 -in pkcs12_out.p12 -passin pass:USR_1b4e28ba-2fa1-11d2-883f-b9a761dbe3fb -nodes -cacerts" it does not return any certificate butthe private key! Thanks a lot. /**/ /*** CODE */ /**/ std::ifstream inStream("pkcs12_out.p12", std::ios::in | std::ios::binary);unsigned long length=0;inStream.seekg(0L,std::ios::end);length=inStream.tellg();inStream.seekg(0L,std::ios::beg);data="" char[length];inStream.read(data,length);inStream.close(); BIO *mem;EVP_PKEY *pkey;X509 *cert;STACK_OF(X509) *ca = NULL;PKCS12 *p12;unsigned long error; SSLeay_add_all_algorithms();ERR_load_crypto_strings(); mem = BIO_new_mem_buf(data, length);p12 = d2i_PKCS12_bio(mem, NULL);BIO_free(mem);if (!p12){ std::cout "Error reading PKCS#12 file" std::endl;}if (!PKCS12_parse(p12, "USR_1b4e28ba-2fa1-11d2-883f-b9a761dbe3fb", pkey, cert, ca)){std::cout "Error parsing PKCS#12 file" std::endl;} /**/ /** PKCS12 contents */ /**/ OpenSSL pkcs12 -in pkcs12_out.p12 -passin pass:USR_1b4e28ba-2fa1-11d2-883f-b9a761dbe3fb -nodes MAC verified OKBag Attributes localKeyID: 87 F7 F0 DF 39 3F A1 CE B5 56 D8 BA E8 EC B1 72 BF A7 2D 6F friendlyName: ITO_26adfe3d-165f-3fb2-ad8c-665aa3ec4e0cKey Attributes: No Attributes-BEGIN RSA PRIVATE KEY-MIICXQIBAAKBgQCJFXO9WbjfRxOWvhJfNPbwbndScOF7A7WgO92/EDqfcKjtUniBclgCirk83j8f70/RvI+cUrQNuROzR5ye9duB1ln4yvjkR5xDO0e86WFFDN0Q6gJJtMrfvTM6sV6jzPDCorOIMOh4JQqLNwe7tWrQBqwZW92dSr2AkdQT8CGb1wIDAQABAoGASBHOKpN8HW7JvqupDwLSfK8m7mHIOZtGproyp5uJpn9dYH/GOQ/7c0KphnW1rD1tsm+29NGKNdjCobOZhPzu7Lc5UEwS8qSJVBpErtqC+bSua0Sw3Y9tjXo8sMVI7zklTxsoQ/83YwVCdJPeDa8zMIpF59KTvZmrwMWa4WCG6YECQQDovdXSOpStRKeAEAPyqUFpTD/3Rt3ykGTmBOrvQehmpJ0nzZDyaJJSPvWEvidnRHLCg2RlEPbSvu3b06p737PBAkEAlshuJxrLRXZbNHYxYUfm0Cq8buS+n4PFFwSfMyWQAB+yyZQ8H7jFwhyFT5kEPlUWAmDJpUI0w8Fcks0Kil/VlwJBAOPegUucaVafYjOi+oqKJm3W5sXOz50evHrsk6x+5fAg+XEv9dswgRofZDh8CI412PoStKezDUXXA4D34vH3WsECQAczh19CvlaQ8oYs5urYfkOO5vT848XGi1EwHVJaBuiamvVZqQ1yy68boZpNmpBHjAeNC9RitxZqU7uHI2u8a/0CQQCtSQHnMAesSKe4dL3Sxq79DTo0bwHFWOnd6R0UxrnRGGfHaRGaZp9vOoz9esSCWzZNysXyNx/zzt7Dp1RREnq/-END RSA PRIVATE KEY-Bag Attributes localKeyID: 87 F7 F0 DF 39 3F A1 CE B5 56 D8 BA E8 EC B1 72 BF A7 2D 6F friendlyName: ITO_26adfe3d-165f-3fb2-ad8c-665aa3ec4e0csubject=/O=AXMEDIS/CN=ITO_26adfe3d-165f-3fb2-ad8c-665aa3ec4e0cissuer=/O=AXMEDIS/OU=AXMEDIS AXCS CA-BEGIN CERTIFICATE-MIICTDCCAbWgAwIBAgIEO5rKUzANBgkqhkiG9w0BAQUFADAsMRAwDgYDVQQKEwdBWE1FRElTMRgwFgYDVQQLEw9BWE1FRElTIEFYQ1MgQ0EwHhcNMDYwMTIzMTYxOTExWhcNMDYwMzI0MTYxOTExWjBFMRAwDgYDVQQKEwdBWE1FRElTMTEwLwYDVQQDDChJVE9fMjZhZGZlM2QtMTY1Zi0zZmIyLWFkOGMtNjY1YWEzZWM0ZTBjMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJFXO9WbjfRxOWvhJfNPbwbndScOF7A7WgO92/EDqfcKjtUniBclgCirk83j8f70/RvI+cUrQNuROzR5ye9duB1ln4yvjkR5xDO0e86WFFDN0Q6gJJtMrfvTM6sV6jzPDCorOIMOh4JQqLNwe7tWrQBqwZW92dSr2AkdQT8CGb1wIDAQABo2IwYDAdBgNVHQ4EFgQUh/fw3zk/oc61Vti66Oyxcr+nLW8wHwYDVR0jBBgwFoAUwDYZB63EiJeoXnJvawnr5ebxKVwwEQYJYIZIAYb4QgEBBAQDAgQwMAsGA1UdDwQEAwIDiDANBgkqhkiG9w0BAQUFAAOBgQAkIz6k/t/oCyM3aPUw2aTnC9ckiz0s2qH33ZvKi+nTTgf4XWx3kPTk8g5cICdqm1CCupQwhLh0bIyJE6ENxAs6vPteRbIWG4IkgQyQOtQtC21vImndP+fmJanVnrfxaC4fhwJ6Ie21cAmnDkjUqAdN3ylLDAfzkjLtYD2ITWx53g==-END CERTIFICATE-Bag Attributes localKeyID: C0 36 19 07 AD C4 88 97 A8 5E 72 6F 6B 09 EB E5 E6 F1 29 5C friendlyName: AXMEDIS AXCS CAsubject=/O=AXMEDIS/OU=AXMEDIS AXCS CAissuer=/O=AXMEDIS/OU=AXMEDIS AXCS CA-BEGIN CERTIFICATE-MIICATCCAWqgAwIBAgIBATANBgkqhkiG9w0BAQUFADAsMRAwDgYDVQQKEwdBWE1FRElTMRgwFgYDVQQLEw9BWE1FRElTIEFYQ1MgQ0EwHhcNMDUwODIyMTQxNjI1WhcNMTIwNDE3MTQxNjI2WjAsMRAwDgYDVQQKEwdBWE1FRElTMRgwFgYDVQQLEw9BWE1FRElTIEFYQ1MgQ0EwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBALJZ0tbmJ6doyUvjYWTC2fx52XqrklMUDlvxd1EZdzHW91QNJQnnuf/uCnCm4m1W6S0u3X+Fq6hWALaQifNfa9vzwpjgWEJTXZ8GTmsDkct9MG4KLSDE37TntJqWQL3qJsEK1pw/BQB84lE8
Which algorithms are need for PKCS12_parse?
I'm trying to use PKCS12_parse and it's failing with: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt error error:23076072:PKCS12 routines:PKCS12_parse:parse error This is a PKCS#12 container I created with OpenSSL 0.9.7 using whatever default algorithms it uses (the manual says RC2-40 and 3DES but I have added those without luck). Now, I am manually adding the algorithms and I absolutely do not want to use any sort of all_all_algorithms function because that makes my final application way too large (I'm statically linking to OpenSSL). It does actually work if I add all algorithms but as I said I do not want to do that. I have tried adding all this: EVP_add_cipher(EVP_des_ede()); EVP_add_cipher(EVP_des_ede3()); EVP_add_cipher(EVP_des_ede_ecb()); EVP_add_cipher(EVP_des_ede3_ecb()); EVP_add_cipher(EVP_des_cfb64()); EVP_add_cipher(EVP_des_cfb1()); EVP_add_cipher(EVP_des_cfb8()); EVP_add_cipher(EVP_des_ede_cfb64()); EVP_add_cipher(EVP_des_ede3_cfb64()); EVP_add_cipher(EVP_des_ede3_cfb1()); EVP_add_cipher(EVP_des_ede3_cfb8()); EVP_add_cipher(EVP_des_ofb()); EVP_add_cipher(EVP_des_ede_ofb()); EVP_add_cipher(EVP_des_ede3_ofb()); EVP_add_cipher(EVP_des_ede_cbc()); EVP_add_cipher(EVP_des_ede3_cbc()); EVP_add_cipher(EVP_desx_cbc()); EVP_add_cipher(EVP_rc2_ecb()); EVP_add_cipher(EVP_rc2_cbc()); EVP_add_cipher(EVP_rc2_40_cbc()); EVP_add_cipher(EVP_rc2_64_cbc()); EVP_add_cipher(EVP_rc2_cfb64()); EVP_add_cipher(EVP_rc2_ofb()); EVP_add_cipher(EVP_rc4()); EVP_add_cipher(EVP_rc4_40()); EVP_add_cipher(EVP_des_ecb()); EVP_add_cipher(EVP_des_cbc()); EVP_add_cipher(EVP_aes_256_ecb()); EVP_add_cipher(EVP_aes_256_cbc()); EVP_add_digest(EVP_md5()); EVP_add_digest(EVP_sha1()); No luck... I wish the error messages would tell me _which_ algorithm is missing. ? When searching for other people having this problem the answer is always add all algorithms. Thanks for any help. -- // Chris
Re: Which algorithms are need for PKCS12_parse?
On Thu, Feb 16, 2006, Chris wrote: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt error error:23076072:PKCS12 routines:PKCS12_parse:parse error [snip] No luck... I wish the error messages would tell me _which_ algorithm is missing. ? When searching for other people having this problem the answer is always add all algorithms. Its a password based encryption (PBE) algorithm. Probably 40 bit RC2 and/or 3DES using the PKCS#12 key derivation algorihtm. Try calling PKCS12_PBE_add(). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Which algorithms are need for PKCS12_parse?
On 2/16/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote: Its a password based encryption (PBE) algorithm. Probably 40 bit RC2 and/or3DES using the PKCS#12 key derivation algorihtm. Try calling PKCS12_PBE_add().Steve. Thanks! That did the trick. I wish all these _add() functions were listed somewhere or at least listed in the relevant sections of the documentation. I spent much time looking through evp.h and other headers trying to find something that made sense and the whole time all I needed was PKCS12_PBE_add(). Thanks again! -- // Chris
Re: Which algorithms are need for PKCS12_parse?
On Thu, Feb 16, 2006, Chris wrote: On 2/16/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote: Its a password based encryption (PBE) algorithm. Probably 40 bit RC2 and/or 3DES using the PKCS#12 key derivation algorihtm. Try calling PKCS12_PBE_add(). Steve. Thanks! That did the trick. I wish all these _add() functions were listed somewhere or at least listed in the relevant sections of the documentation. I spent much time looking through evp.h and other headers trying to find something that made sense and the whole time all I needed was PKCS12_PBE_add(). It is documented in doc/openssl.txt and that file is referred to in the FAQ... http://www.openssl.org/support/faq.html#MISC2 At some point I'll tidy that up and place it in an appropriate manual page or better still tidy up the PBE API and document the tidied version... Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Which algorithms are need for PKCS12_parse?
On 2/16/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, Feb 16, 2006, Chris wrote:It is documented in doc/openssl.txt and that file is referred to in the FAQ...http://www.openssl.org/support/faq.html#MISC2 At some point I'll tidy that up and place it in an appropriate manual page orbetter still tidy up the PBE API and document the tidied version...Steve. Ah, OK I'll have to widen my documentation search next time. There are so many documents it's hard to know where to look. I was reading the manual pages at openssl.org/docs/... Heh, sometimes I think I spend more time trying to find OpenSSL documentation than actually developing. ;) Thanks! -- // Chris
Re: PKCS12_parse() fails (0.9.8.)
On Tue, Jul 19, 2005, Milan Tomic wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Milan Tomic Sent: Monday, July 18, 2005 1:20 PM To: openssl-users@openssl.org Subject: PKCS12_parse() fails (0.9.8.) PKCS12_parse() fails (returns 0) in my case, although PKCS12_verify_mac() succeed (return 1). I have tried to export cert key into .pfx file in two ways: - using Internet Explorer GUI, - using java's keytool. but still the same. What should I do? :( What happens when you use the pkcs12 utility on the file? For example: openssl pkcs12 -in file.pfx -out file.pem Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: PKCS12_parse() fails (0.9.8.)
Title: Message Can someone give me a hand with this problem? :) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Milan TomicSent: Monday, July 18, 2005 1:20 PMTo: openssl-users@openssl.orgSubject: PKCS12_parse() fails (0.9.8.) PKCS12_parse() fails (returns 0) in my case, although PKCS12_verify_mac() succeed (return 1). I have tried to export cert key into .pfx file in two ways: - using Internet Explorer GUI, - using java's keytool. but still the same. What should I do? :(
Re: PKCS12_parse() fails (0.9.8.)
Milan Tomic wrote: PKCS12_parse() fails (returns 0) in my case, although PKCS12_verify_mac() succeed (return 1). I have tried to export cert key into .pfx file in two ways: - using Internet Explorer GUI, - using java's keytool. but still the same. What should I do? :( does ERR_print_errors give you more information ? Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PKCS12_parse() fails (0.9.8.)
Title: PKCS12_parse() fails (0.9.8.) PKCS12_parse() fails (returns 0) in my case, although PKCS12_verify_mac() succeed (return 1). I have tried to export cert key into .pfx file in two ways: - using Internet Explorer GUI, - using java's keytool. but still the same. What should I do? :(
How to get a stack of CA certificates from PKCS12_parse?
Hello all, I want to load and parse certificates from a file(.p12) using d2i_PKCS12_fp(..) and PKCS12_parse(..). The file contains two certificates. I want to obtain all of the certificates from the file. But after I called PKCS12_parse(..) I only got one certificate. I couldn't get the stack of CA certificates. The prototype of PKCS12_parse() is like this: PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) After I called the function I only got pkey and cert. The content of *ca was empty and PKCS12_parse only allocated memory to *ca. But it didn't fill *ca with certificates. My code looked like the following: PKCS12 *p12; X509 *cert; STACK_OF(X509) *ca = NULL; EVP_PKEY * privateKey; EVP_PKEY * publicKey; char * keypass = generatePW(); // get password FILE * fp = fopen(filename, rb); if (!fp) printf(Error opening file %s ,filename); p12 = d2i_PKCS12_fp(fp, NULL); if (!PKCS12_parse(p12, keypass, privateKey, cert, ca )) { printf(Error parsing PKCS12 file); } if (ca) printf( ca is not null!); else printf(ca is null!); if (cert) publicKey = X509_get_pubkey(cert); if ((!privateKey) || (!publicKey)) { printf(private key or public key is NULL!); } unsigned int cert_num = ((STACK *)ca)-num; printf(number of certificates in CA chain=%d, cert_num); After running it, it prints: ca is not null! number of certificates in CA chain=0 It looked like that ca was not null but it was empty. I am expecting PKCS12_parse to fill ca with additional certificates. But it didn't. Any help is appreciated! patty __ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to get a stack of CA certificates from PKCS12_parse?
On Thu, Jan 13, 2005, [EMAIL PROTECTED] wrote: Hello all, I want to load and parse certificates from a file(.p12) using d2i_PKCS12_fp(..) and PKCS12_parse(..). The file contains two certificates. I want to obtain all of the certificates from the file. But after I called PKCS12_parse(..) I only got one certificate. I couldn't get the stack of CA certificates. The prototype of PKCS12_parse() is like this: PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) After I called the function I only got pkey and cert. The content of *ca was empty and PKCS12_parse only allocated memory to *ca. But it didn't fill *ca with certificates. My code looked like the following: PKCS12 *p12; X509 *cert; STACK_OF(X509) *ca = NULL; EVP_PKEY * privateKey; EVP_PKEY * publicKey; char * keypass = generatePW(); // get password FILE * fp = fopen(filename, rb); if (!fp) printf(Error opening file %s ,filename); p12 = d2i_PKCS12_fp(fp, NULL); if (!PKCS12_parse(p12, keypass, privateKey, cert, ca )) { printf(Error parsing PKCS12 file); } if (ca) printf( ca is not null!); else printf(ca is null!); if (cert) publicKey = X509_get_pubkey(cert); if ((!privateKey) || (!publicKey)) { printf(private key or public key is NULL!); } unsigned int cert_num = ((STACK *)ca)-num; printf(number of certificates in CA chain=%d, cert_num); After running it, it prints: ca is not null! number of certificates in CA chain=0 It looked like that ca was not null but it was empty. I am expecting PKCS12_parse to fill ca with additional certificates. But it didn't. Any help is appreciated! Use sk_X509_num() on the ca stack instead of messing around with internals. Seek if the other certificates can be extracted using the pkcs12 utility. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to get a stack of CA certificates from PKCS12_parse?
Steve, Thank you very much for your response. The reason I didn't use sk_X509_num() instead of ((STACK *)ca)-num is because I will change the the program to load libeay32.dll instead of linking my program with library libeay32.lib. sk_X509_num() is a macro and it is the replacement of function sk_num(Stack *). I have to load the function at run time in my program before I use it. The following is my program that will load libeay32.dll instead of libeay32.lib. void __cdecl main() { typedef PKCS12 * (__cdecl *d2iPKCS12fpType)(FILE *, PKCS12 **); static d2iPKCS12fpType d2iPKCS12fpPtr = NULL; typedef int (__cdecl *PKCS12parseType)(PKCS12 *, const char *, EVP_PKEY **, X509 **, STACK_OF(X509) **); static PKCS12parseType PKCS12parsePtr = NULL; typedef EVP_PKEY * (__cdecl *X509getpubkeyType)(X509 *); static X509getpubkeyType X509getpubkeyPtr = NULL; static HINSTANCE dllHandle = NULL; PKCS12 *p12; X509 *cert; STACK_OF(X509) *ca = NULL; EVP_PKEY * privateKey; EVP_PKEY * publicKey; dllHandle = LoadLibrary(libeay32.dll); if (dllHandle) { d2iPKCS12fpPtr = (d2iPKCS12fpType)GetProcAddress(dllHandle, d2i_PKCS12_fp); PKCS12parsePtr = (PKCS12parseType)GetProcAddress(dllHandle, PKCS12_parse); X509getpubkeyPtr = (X509getpubkeyType)GetProcAddress(dllHandle, X509_get_pubkey); } else printf(dllHandle is null!\n); if (d2iPKCS12fpPtrPKCS12parsePtrX509getpubkeyPtr) { printf(loading .dll is successful!\n); } else printf(loading .dll failed!\n); char * keypass = generatePW(); // get password FILE * fp = fopen(test.p12, rb); if (!fp) printf(Error opening file.); p12 = d2iPKCS12fpPtr(fp, NULL); if (!p12) { printf(p12 is null!); } else printf(p12 is not null!); if (!PKCS12parsePtr(p12, keypass, privateKey, cert, ca )) { printf(Error parsing PKCS12 file); } if (ca) printf( ca is not null!); else printf(ca is null!); if (cert) publicKey = X509getpubkeyPtr(cert); if ((!privateKey) || (!publicKey)) { printf(private key or public key is NULL!); } unsigned int cert_num = ((STACK *)ca)-num; printf(number of certificates in CA chain=%d, cert_num); return; } So I can not use any macros that are the replacement of openssl functions such as sk_X509_new_null(), sk_X509_find(), sk_X509_pop(), etc. So what can I do if I need to use these macros? And why was ca empty after calling PKCS12parsePtr? Thank you so much for your help! patty Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, Jan 13, 2005, [EMAIL PROTECTED] wrote: Hello all, I want to load and parse certificates from a file(.p12) using d2i_PKCS12_fp(..) and PKCS12_parse(..). The file contains two certificates. I want to obtain all of the certificates from the file. But after I called PKCS12_parse(..) I only got one certificate. I couldn't get the stack of CA certificates. The prototype of PKCS12_parse() is like this: PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) After I called the function I only got pkey and cert. The content of *ca was empty and PKCS12_parse only allocated memory to *ca. But it didn't fill *ca with certificates. My code looked like the following: PKCS12 *p12; X509 *cert; STACK_OF(X509) *ca = NULL; EVP_PKEY * privateKey; EVP_PKEY * publicKey; char * keypass = generatePW(); // get password FILE * fp = fopen(filename, rb); if (!fp) printf(Error opening file %s ,filename); p12 = d2i_PKCS12_fp(fp, NULL); if (!PKCS12_parse(p12, keypass, privateKey, cert, ca )) { printf(Error parsing PKCS12 file); } if (ca) printf( ca is not null!); else printf(ca is null!); if (cert) publicKey = X509_get_pubkey(cert); if ((!privateKey) || (!publicKey)) { printf(private key or public key is NULL!); } unsigned int cert_num = ((STACK *)ca)-num; printf(number of certificates in CA chain=%d, cert_num); After running it, it prints: ca is not null! number of certificates in CA chain=0 It looked like that ca was not null but it was empty. I am expecting PKCS12_parse to fill ca with additional certificates. But it didn't. Any help is appreciated! Use sk_X509_num() on the ca stack instead of messing around with internals. Seek if the other certificates can be extracted using the pkcs12 utility. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage
R: PKCS12_parse problem
Well... the application is actually an intermediate library, so every ''cryptographic'' operation is enclosed between OpenSSL_add_all_algorithms()...EVP_cleanup() calls. There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and vice versa, there are no EVP_cleanup() calls without the initial OpenSSL_add_all_algorithms(). Are you saying that this is not enough and that the library should call OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ? This could be not straightforward Thanks in advance -Messaggio originale- Da: Dr. Stephen Henson [mailto:steve;openssl.org] Inviato: mercoledì 23 ottobre 2002 18.14 A: [EMAIL PROTECTED] Oggetto: Re: PKCS12_parse problem On Wed, Oct 23, 2002, Marco Donati wrote: Adding OpenSSL_add_all_ciphers() or OpenSSL_add_all_digests() doesn't help. If we comment out the OpenSSL_add_all_algorithms() call, we get the ''correct'' error: 5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown digest algorithm:p12_mutl.c:80: 5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac generation error:p12_mutl.c:105: 5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure:p12_kiss.c:121: If we put the OpenSSL_add_all_algorithms() back in the code we get the ''unexplained'' error: 5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80: 5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105: 5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121: Let me underline again some facts: 1) the first call to PKCS12_parse is ok 2) the PKCS12_parse calls starting from the second reports the error above 3) if we restart the application we have the same behavior (first call OK, then errors) 4) the error happens only with OpenSSL 0.9.6g, NOT with OpenSSL 0.9.6c (we haven't tried intermediate versions) 5) with openSSL 0.9.6g we get ''similar'' (related?) error in calls like Are you calling EVP_cleanup() in between calls? You should really only call OpenSSL_add_all_algorithms() once on application startup and EVP_cleanup() when it shuts down. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: R: PKCS12_parse problem
On Fri, Oct 25, 2002, Marco Donati wrote: Well... the application is actually an intermediate library, so every ''cryptographic'' operation is enclosed between OpenSSL_add_all_algorithms()...EVP_cleanup() calls. There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and vice versa, there are no EVP_cleanup() calls without the initial OpenSSL_add_all_algorithms(). Are you saying that this is not enough and that the library should call OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ? This could be not straightforward Well let me explain a bit... OpenSSL has an internal global table of supported algorithms (digests and ciphers). Certain operations such as PKCS12_parse() lookup digests and ciphers from this table so if it can't find one it gives the error you are seeing. Now addding and removing all ciphers whenever you use an OpenSSL command is not really recommended, it will repeatedly rebuild the table and it is not thread safe. One thread could access a partially complete table. So ideally you should only build the table in a single threaded context before calling any OpenSSL functions and clean it up only after no further calls will be made. However one added complication is that a change was made to OpenSSL 0.9.6g which avoids a problem of duplicate calls to OpenSSL_add_all_algorithms() creating duplicate table entries by only making the first call work. This has a problem because EVP_cleanup() doesn't reset the flag so effectively only the first call to OpenSSL_add_all_algorithms() works. This isn't what earlier 0.9.6X did and this will be fixed for 0.9.6h. You can get the old baheviour by deleting the relevant lines from OpenSSL_add_all_ciphers() and OpenSSL_add_all_digest(). Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS12_parse problem
Adding OpenSSL_add_all_ciphers() or OpenSSL_add_all_digests() doesn't help. If we comment out the OpenSSL_add_all_algorithms() call, we get the ''correct'' error: 5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown digest algorithm:p12_mutl.c:80: 5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac generation error:p12_mutl.c:105: 5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure:p12_kiss.c:121: If we put the OpenSSL_add_all_algorithms() back in the code we get the ''unexplained'' error: 5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80: 5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105: 5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121: Let me underline again some facts: 1) the first call to PKCS12_parse is ok 2) the PKCS12_parse calls starting from the second reports the error above 3) if we restart the application we have the same behavior (first call OK, then errors) 4) the error happens only with OpenSSL 0.9.6g, NOT with OpenSSL 0.9.6c (we haven't tried intermediate versions) 5) with openSSL 0.9.6g we get ''similar'' (related?) error in calls like ''X509_verify(userCert,X509_extract_key(CACert))'' or ''X509_CRL_verify(crl,pubKey)'' that returned no error with the same files/data using OpenSSL 0.9.6c Help! :-) - Original Message - Don't you also have to call OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); ERR_load_crypto_strings(); ? I had to. And I think there's a replacement in 0.9.7 IIRC. - Original Message - From: Francesco Dal Bello [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 17, 2002 11:44 AM Subject: R: PKCS12_parse problem On Wed, Oct 16, 2002, Dr. Stephen Henson wrote: What error do you get (see FAQ)? These are the errors reported: 21153:error:06074079:lib(6):func(116):reason(121):evp_pbe.c:89:TYPE=pbeWithS HA1And3-KeyTripleDES-CBC 21153:error:23077073:lib(35):func(119):reason(115):p12_decr.c:82: 21153:error:2306A075:lib(35):func(106):reason(117):p12_decr.c:121: 21153:error:23076072:lib(35):func(118):reason(114):p12_kiss.c:127: Are you calling OpenSSL_add_all_algorithms() more than once? My function is like the following: int MyFunc() { OpenSSL_add_all_algorithms(); SSL_load_error_strings(); ... if (!PKCS12_parse(p12, passphrase, prkey, NULL,NULL)) { error handling ERR_print_error_fp(stderr); } ... EVP_cleanup(); } The first call to this function is OK. Subsequent calls cause the error above. Thanks in advance. Francesco. -Messaggio originale- Da: Dr. Stephen Henson [mailto:steve;openssl.org] Inviato: mercoledì 16 ottobre 2002 23.53 A: [EMAIL PROTECTED] Oggetto: Re: PKCS12_parse problem On Wed, Oct 16, 2002, Francesco Dal Bello wrote: Greetings. I recently re-compiled my application with OpenSSL 0.9.6g (it was previously linked with 0.9.6c). I have a problem with the ''PKCS12_parse'' function that I didn't have before (platform is Solaris 8). If my application calls ''PKCS12_parse'' more than once (at different moments, even distant in time) on the same PKCS#12, ONLY THE FIRST CALL SUCCEED. Calls after the first return 0. Since I'm only interested in extracting the private key, my call is like: if (!PKCS12_parse(p12, passphrase, prkey, NULL,NULL)) error handling This problem didn't happen with 0.9.6c. I'm quite sure that the p12 argument is a valid pointer to a PKCS#12 structure because every time I : open the key file (abort if it fails), read the pkcs12 by means of d2i_PKCS12_fp (close file and abort if it fails) close the key file call the PKCS12_parse Any hint, FAQ or known problem? What error do you get (see FAQ)? Are you calling OpenSSL_add_all_algorithms() more than once? I've seen this reported before but couldn't reproduce it myself. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Post a follow-up to this message __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: PKCS12_parse problem
On Wed, Oct 23, 2002, Marco Donati wrote: Adding OpenSSL_add_all_ciphers() or OpenSSL_add_all_digests() doesn't help. If we comment out the OpenSSL_add_all_algorithms() call, we get the ''correct'' error: 5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown digest algorithm:p12_mutl.c:80: 5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac generation error:p12_mutl.c:105: 5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure:p12_kiss.c:121: If we put the OpenSSL_add_all_algorithms() back in the code we get the ''unexplained'' error: 5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80: 5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105: 5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121: Let me underline again some facts: 1) the first call to PKCS12_parse is ok 2) the PKCS12_parse calls starting from the second reports the error above 3) if we restart the application we have the same behavior (first call OK, then errors) 4) the error happens only with OpenSSL 0.9.6g, NOT with OpenSSL 0.9.6c (we haven't tried intermediate versions) 5) with openSSL 0.9.6g we get ''similar'' (related?) error in calls like Are you calling EVP_cleanup() in between calls? You should really only call OpenSSL_add_all_algorithms() once on application startup and EVP_cleanup() when it shuts down. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS12_parse problem
Greetings. I recently re-compiled my application with OpenSSL 0.9.6g (it was previously linked with 0.9.6c). I have a problem with the ''PKCS12_parse'' function that I didn't have before (platform is Solaris 8). If my application calls ''PKCS12_parse'' more than once (at different moments, even distant in time) on the same PKCS#12, ONLY THE FIRST CALL SUCCEED. Calls after the first return 0. Since I'm only interested in extracting the private key, my call is like: if (!PKCS12_parse(p12, passphrase, prkey, NULL,NULL)) error handling This problem didn't happen with 0.9.6c. I'm quite sure that the p12 argument is a valid pointer to a PKCS#12 structure because every time I : open the key file (abort if it fails), read the pkcs12 by means of d2i_PKCS12_fp (close file and abort if it fails) close the key file call the PKCS12_parse Any hint, FAQ or known problem? Thanks in advance Francesco __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
where can i find pkcs12_parse?
Hello, Where can i find the resources and documentation for using C++ on openssl ar? Where can i find for the pkcs12 functions such as pkcs12_parse ar? thanks. candy. ___ Do You Yahoo!? Get your free @yahoo.com.hk address at http://mail.english.yahoo.com.hk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
why PKCS12_parse() returns 0?
Hello everybody, I have a problem using PKCS12_parse that returns 0, meaning something goes wrong. I am using MS VisualC++ 6.0 on a Windows2000 (Intel) machine. I'm writing a simple application just to understand some the libeay library calls, but I can't figure out what's wrong with my code. I have a valid PKCS12 file, I know it's valid because "openssl pkcs12 - in filename" parses it correctly without errors (so I'm sure my passphrase is correct too). Well, before bothering this maling list I run the visual debugger just to figure out what's wrong by myself, and so I went trought various library calls, from PKCS12_parse to PKCS12_verify_mac and PKCS12_gen_mac, each of which returning 0. Finally I reached what appears as an end point, when PKCS12_gen_mac calls EVP_get_digestbyobj, that doesn't return a valid digest (in may opinion at least), that's 0x. Since I'm too beginner to really understand all that code, is there someone so kind to explain me what and where I'm doing wrong? Here is my simple code: void CImportP12Dlg::OnButtonConverti() { PKCS12 *p12; EVP_PKEY *privkey; X509 *cert; STACK_OF(X509) *ca=NULL; int ret,len; BIO *in; const char *password; // Updating variables from GUI UpdateData(TRUE); //copying password from CString to char* len = m_strPkcs12Password.GetLength(); password = (char *)malloc(sizeof(char)*len); password = m_strPkcs12Password.GetBuffer(len); in = BIO_new_file(m_strPkcs12FileName, "rb"); p12 = d2i_PKCS12_bio (in, NULL); if (!p12) { MessageBox("Error loading PKCS12 file", "Error", MB_OK); } ret = PKCS12_parse( p12, password, privkey, cert, ca); } Pietro __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: why PKCS12_parse() returns 0?
Pietro wrote: Hello everybody, I have a problem using PKCS12_parse that returns 0, meaning something goes wrong. I am using MS VisualC++ 6.0 on a Windows2000 (Intel) machine. I'm writing a simple application just to understand some the libeay library calls, but I can't figure out what's wrong with my code. I have a valid PKCS12 file, I know it's valid because "openssl pkcs12 - in filename" parses it correctly without errors (so I'm sure my passphrase is correct too). Well, before bothering this maling list I run the visual debugger just to figure out what's wrong by myself, and so I went trought various library calls, from PKCS12_parse to PKCS12_verify_mac and PKCS12_gen_mac, each of which returning 0. Well it would help if you read the FAQ before bothering the list... Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]