Re: PKCS12_parse() in multi-threads, "heap is corrupt"
Thank you and sorry for my last two posts without reading FAQ carefully first. Now I read FAQ and the example of the call functions. It seems I need more time to understand it and do some examples by myself. Anywise I should complete my work asap, so I add thread_setup() and thread_cleanup() and win32_locking_callback() to my code,It still fails in multi-thread mode. I think may be my openssl wasn't configured with thread support , but Configure instruction said, *# [no-]threads [don't] try to create a library that is suitable for # multithreaded applications (default is "threads" if we # know how to do it)* I guess that means openssl on windows is supporting thread defaultly. And I found snippet in opensslconf.h *#ifndef OPENSSL_THREADS # define OPENSSL_THREADS #endif *It seems like switching on the thread support. Is there anything I can do to make it work? On Sun, Dec 11, 2011 at 8:51 PM, Dr. Stephen Henson wrote: > On Sun, Dec 11, 2011, cellecial wrote: > > > Thank you. I add "OpenSSL_add_all_algorithms();" in main function and > > include "openssl/evp.h",but it still pops error dialogue after a while. > > Some threads can end well, others are not so lucky. > > > > > > Have you set the locking callbacks? You need to set those to make OpenSSL > thread safe. See the FAQ and documentation for more details. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: PKCS12_parse() in multi-threads, "heap is corrupt"
On Sun, Dec 11, 2011, cellecial wrote: > Thank you. I add "OpenSSL_add_all_algorithms();" in main function and > include "openssl/evp.h",but it still pops error dialogue after a while. > Some threads can end well, others are not so lucky. > > Have you set the locking callbacks? You need to set those to make OpenSSL thread safe. See the FAQ and documentation for more details. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse() in multi-threads, "heap is corrupt"
Thank you. I add "OpenSSL_add_all_algorithms();" in main function and
include "openssl/evp.h",but it still pops error dialogue after a while.
Some threads can end well, others are not so lucky.
On Sun, Dec 11, 2011 at 8:14 PM, Dr. Stephen Henson wrote:
> On Sun, Dec 11, 2011, cellecial wrote:
>
> > Hi,
> >
> > I wrote a simple pkcs12 demo(under Windows), it just read from a
> PKCS12
> > file and got private key and certificate.
> > If I use single thread, it works fine.
> > If I use multi-thread, it works fine for a while ,then popups an
> error
> > dialogue "heap is corrupt".If I debug it in Visual Studio,it points to
> > PKCS12_parse() .
> > If I use EnterCriticalSection and LeaveCriticalSection with
> > multi-thread, it works fine too, but as you know, the effect is as same
> as
> > single thread does.
> >
> >So I want to know , what shared resource is protected by
> > CriticalSection? Is PKCS12_parse() not thread-safe? Can it be executed
> in
> > multi-threads without mutex?
> >
> > int pkcs12test(unsigned char *p12buf, int p12buflen, unsigned char
> *p12pswd)
> > {
> > PKCS12 *p12;
> > X509 *cert;
> > EVP_PKEY *prvkey;
> > int len;
> > char buf[4096];
> > int i=0;
> > char desc[1000];
> >
> > OpenSSL_add_all_algorithms();
> >
>
> At least one problem is the above line. You should call
> OpenSSL_add_all_algorithm() *once* before starting threads.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
Re: PKCS12_parse() in multi-threads, "heap is corrupt"
On Sun, Dec 11, 2011, cellecial wrote:
> Hi,
>
> I wrote a simple pkcs12 demo(under Windows), it just read from a PKCS12
> file and got private key and certificate.
> If I use single thread, it works fine.
> If I use multi-thread, it works fine for a while ,then popups an error
> dialogue "heap is corrupt".If I debug it in Visual Studio,it points to
> PKCS12_parse() .
> If I use EnterCriticalSection and LeaveCriticalSection with
> multi-thread, it works fine too, but as you know, the effect is as same as
> single thread does.
>
>So I want to know , what shared resource is protected by
> CriticalSection? Is PKCS12_parse() not thread-safe? Can it be executed in
> multi-threads without mutex?
>
> int pkcs12test(unsigned char *p12buf, int p12buflen, unsigned char *p12pswd)
> {
> PKCS12 *p12;
> X509 *cert;
> EVP_PKEY *prvkey;
> int len;
> char buf[4096];
> int i=0;
> char desc[1000];
>
> OpenSSL_add_all_algorithms();
>
At least one problem is the above line. You should call
OpenSSL_add_all_algorithm() *once* before starting threads.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: PKCS12_parse
Sorry, but this is just getting more interesting: it seems that the call fails when I type the right password (within the app, not in my sample). It is when I typed the wrong password that the call succeeded, but returned the empty key... Will keep investigating... Dirce > I made some progress. The call to PKCS12_parse succeeded, but the pkey > returned was NULL. Please see below where I indicated how I created this > .p12 file. I wonder why the PKCS12_parse command can't read its private > key. I keep suspecting on permissions, but they seem ok - this app is > running as cgi. > Any suggestions are appreciated. > Dirce > > > >> Hello, >> >> I am maintaining a piece of code that calls PKCS12_parse. It worked with >> an older version of openssl (0.9.8m), but it is not working with version >> 1.0.0 >> Here are some clips: >> >> X509 *cert = NULL; >> BIO*in = NULL; >> STACK_OF(X509) *ca_certs = NULL; >> PKCS12 *p12 = NULL; >> EVP_PKEY *pkey = NULL; >> charpass[PEM_BUFSIZE]; >> >> strcpy(pass, exportpw.c_str()); // I verified that the password is >> correct >> >> p12 = d2i_PKCS12_bio(in, NULL); >> >> if (!(PKCS12_parse(p12, pass, &pkey, &cert, &ca_certs))) >> >> I created the pkcs12 file with: >> openssl req -new -x509 -days 365 -keyout new.pem -out new.pem >> openssl pkcs12 -export -in new.pem -out new.p12 -name "My certificate" >> >> I read in two places in the net that this code was fixed for version 1 >> and >> above. Does anyone have any information on this? >> >> Thank you, >>Dirce >> >> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse
I made some progress. The call to PKCS12_parse succeeded, but the pkey returned was NULL. Please see below where I indicated how I created this .p12 file. I wonder why the PKCS12_parse command can't read its private key. I keep suspecting on permissions, but they seem ok - this app is running as cgi. Any suggestions are appreciated. Dirce > Hello, > > I am maintaining a piece of code that calls PKCS12_parse. It worked with > an older version of openssl (0.9.8m), but it is not working with version > 1.0.0 > Here are some clips: > > X509 *cert = NULL; > BIO*in = NULL; > STACK_OF(X509) *ca_certs = NULL; > PKCS12 *p12 = NULL; > EVP_PKEY *pkey = NULL; > charpass[PEM_BUFSIZE]; > > strcpy(pass, exportpw.c_str()); // I verified that the password is correct > > p12 = d2i_PKCS12_bio(in, NULL); > > if (!(PKCS12_parse(p12, pass, &pkey, &cert, &ca_certs))) > > I created the pkcs12 file with: > openssl req -new -x509 -days 365 -keyout new.pem -out new.pem > openssl pkcs12 -export -in new.pem -out new.p12 -name "My certificate" > > I read in two places in the net that this code was fixed for version 1 and > above. Does anyone have any information on this? > > Thank you, >Dirce > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse
On Tue, Nov 15, 2011, dricha...@globalcerts.net wrote: > Hello, > > I am maintaining a piece of code that calls PKCS12_parse. It worked with > an older version of openssl (0.9.8m), but it is not working with version > 1.0.0 > Here are some clips: > > X509 *cert = NULL; > BIO*in = NULL; > STACK_OF(X509) *ca_certs = NULL; > PKCS12 *p12 = NULL; > EVP_PKEY *pkey = NULL; > charpass[PEM_BUFSIZE]; > > strcpy(pass, exportpw.c_str()); // I verified that the password is correct > > p12 = d2i_PKCS12_bio(in, NULL); > > if (!(PKCS12_parse(p12, pass, &pkey, &cert, &ca_certs))) > > I created the pkcs12 file with: > openssl req -new -x509 -days 365 -keyout new.pem -out new.pem > openssl pkcs12 -export -in new.pem -out new.p12 -name "My certificate" > > I read in two places in the net that this code was fixed for version 1 and > above. Does anyone have any information on this? > What error message do you get: see FAQ. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse / PKCS12_create issue
Hi Dave, Thank you for the detailed explanation and the suggestions. It really helped to solve the issue. I did use openssl tool to avoid the problem. I tried clearing the keyid and friendly name in cert using x509__set1 fn's before passing it to PKCS12_create and it also worked fine. I was not aware of these api's to clear the attribute fields. So another option i tried was by creating my own PKCS12 parse function and removed the keyid attribute setting in cert. Your assumption about my code snippet is right. I just provided the relevant functions that are actually from two different functions in my code. So fp handling is fine. Also thanks for pointing out the discrepancy in encryption algorithm passed to PKCS12_create function. -Shafeek On Tue, Feb 1, 2011 at 3:01 AM, Dave Thompson wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of Muhammed > Shafeek > > Sent: Wednesday, 26 January, 2011 12:30 > > > I've a program that extracts private key and cert from the input > > pfx file loaded into the system > > and then create a p12 file out of this private key and cert using > > a different password to add it to a local keystore. > > You know you could use the commandline utility to do this. > (Given it is present, or can be installed, and accessible; > and you can write some temporary files, but if you can write > an output file you can probably do temporaries.) > > > /*code to extract key*/ > > p12Key = d2i_PKCS12_fp(fp, NULL); > > PKCS12_parse(p12Key, pass, pkey, NULL, NULL); > > > /*code to extract cert*/ > > p12Cert = d2i_PKCS12_fp(fp, NULL); > > PKCS12_parse(p12Cert, pass, NULL, pCert, NULL); > > I assume you've omitted some file-management code here, > since two d2i's from the same file open (fp) don't work. > And you don't need them; you could call PKCS12_parse twice > on a single (decoded) p12 object. But you shouldn't; > one call to PKCS12_parse can get both key and cert, > and should since they logically (must) go together. > > And you should definitely check for error(s), but I'll > optimistically assume that was just omitted for posting. > > > /*creating p12 from the extracted key and cert*/ > > p12 = PKCS12_create(password, name, pkey, pCert, NULL, > > NID_pbe_WithSHA1And40BitRC4,NID_pbe_WithSHA1And3_Key_TripleDES_CBC,0, 0, > 0); > > It makes no security sense to encrypt the key with RC4-40, > which nowadays is trivially brute-forced (even in the days > of ITAR when PKCS12 was established, it was pretty easy), > but the cert which doesn't really need privacy with TripleDES. > The defaults, which are the other way, would be much better. > > > I observe the following things: > > 1. The attributes ptr in pkey extracted using PKCS12_parse is null. > > Note that the input pfx does have local Key ID and friendly name. > > The cert extracted using PKCS12_parse > > have local Key ID attribute which is same as in input pfx file. > > Yes, p12_kiss.c returns alias=friendly and keyid for the cert > and no attributes for the key. The man page says > > Attributes currently cannot be store in the private key > > EVP_PKEY structure. > although that appears to be out of date. > Perhaps it should, although friendly and keyid should be the same > for key and cert if used at all, so getting them on the cert > should probably usually be enough. > > > 2. The p12 file created using PKCS12_create has a local KeyID > > attribute for private key and is different from that of cert. > > I assume you mean PKCS12_create plus i2d_PKCS12_fp or similar, > since PKCS12_create by itself only creates a memory structure. > > > Can any one please explain the reason for this? Is there any issue > > in my code? or Is this an openssl issue? > > On the cert, p12_crt.c uses any friendly=alias and keyid > in the cert object, and ADDS friendly from caller if not null > and keyid = SHA1 of cert (if doing both key&cert). > This appears to violate PKCS9 (at least the one I have) > which says single-valued. And isn't mentioned on the man page. > (On the key, it just does friendly from caller and keyid = SHA1, > but also MSCSPname and recently LocalKeySet from key.attributes!) > Depending on the software that reads this, if it assumes > the PKCS9 single-value rule as it apparently has a right to, > which values get used/displayed/whatever for the cert > may be arbitrary or even unpredictable. > > You probably should X509_alias_set1(,NULL,0) and similarly > for keyid on your cert before giving it to PKCS12_create. > > Alternatively, but more work, build your own exactly as you want > with the PKCS12_ PKCS7_ PKCS8_ etc. primitives. > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org
RE: PKCS12_parse / PKCS12_create issue
> From: owner-openssl-us...@openssl.org On Behalf Of Muhammed Shafeek > Sent: Wednesday, 26 January, 2011 12:30 > I've a program that extracts private key and cert from the input > pfx file loaded into the system > and then create a p12 file out of this private key and cert using > a different password to add it to a local keystore. You know you could use the commandline utility to do this. (Given it is present, or can be installed, and accessible; and you can write some temporary files, but if you can write an output file you can probably do temporaries.) > /*code to extract key*/ > p12Key = d2i_PKCS12_fp(fp, NULL); > PKCS12_parse(p12Key, pass, pkey, NULL, NULL); > /*code to extract cert*/ > p12Cert = d2i_PKCS12_fp(fp, NULL); > PKCS12_parse(p12Cert, pass, NULL, pCert, NULL); I assume you've omitted some file-management code here, since two d2i's from the same file open (fp) don't work. And you don't need them; you could call PKCS12_parse twice on a single (decoded) p12 object. But you shouldn't; one call to PKCS12_parse can get both key and cert, and should since they logically (must) go together. And you should definitely check for error(s), but I'll optimistically assume that was just omitted for posting. > /*creating p12 from the extracted key and cert*/ > p12 = PKCS12_create(password, name, pkey, pCert, NULL, > NID_pbe_WithSHA1And40BitRC4,NID_pbe_WithSHA1And3_Key_TripleDES_CBC,0, 0, 0); It makes no security sense to encrypt the key with RC4-40, which nowadays is trivially brute-forced (even in the days of ITAR when PKCS12 was established, it was pretty easy), but the cert which doesn't really need privacy with TripleDES. The defaults, which are the other way, would be much better. > I observe the following things: > 1. The attributes ptr in pkey extracted using PKCS12_parse is null. > Note that the input pfx does have local Key ID and friendly name. > The cert extracted using PKCS12_parse > have local Key ID attribute which is same as in input pfx file. Yes, p12_kiss.c returns alias=friendly and keyid for the cert and no attributes for the key. The man page says > Attributes currently cannot be store in the private key > EVP_PKEY structure. although that appears to be out of date. Perhaps it should, although friendly and keyid should be the same for key and cert if used at all, so getting them on the cert should probably usually be enough. > 2. The p12 file created using PKCS12_create has a local KeyID > attribute for private key and is different from that of cert. I assume you mean PKCS12_create plus i2d_PKCS12_fp or similar, since PKCS12_create by itself only creates a memory structure. > Can any one please explain the reason for this? Is there any issue > in my code? or Is this an openssl issue? On the cert, p12_crt.c uses any friendly=alias and keyid in the cert object, and ADDS friendly from caller if not null and keyid = SHA1 of cert (if doing both key&cert). This appears to violate PKCS9 (at least the one I have) which says single-valued. And isn't mentioned on the man page. (On the key, it just does friendly from caller and keyid = SHA1, but also MSCSPname and recently LocalKeySet from key.attributes!) Depending on the software that reads this, if it assumes the PKCS9 single-value rule as it apparently has a right to, which values get used/displayed/whatever for the cert may be arbitrary or even unpredictable. You probably should X509_alias_set1(,NULL,0) and similarly for keyid on your cert before giving it to PKCS12_create. Alternatively, but more work, build your own exactly as you want with the PKCS12_ PKCS7_ PKCS8_ etc. primitives. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse() SEGV.
On Sun, 2010-05-09 at 12:12 +0100, David Woodhouse wrote:
> Although that's OK for my purposes, I think it's actually a bug. The man
> page for PKCS12_parse() says that *ca can be a valid stack, in which
> case additional certificates are appended to *ca.
>
> It _doesn't_ say "oh, but if parsing fails because the user fat-fingered
> the passphrase, we'll completely free your carefully pre-generated stack
> in *ca and set *ca to NULL"
>
> Surely it shouldn't be freeing the _original_ contents of the stack
> which was passed in *ca? Those should be preserved.
My test was against 1.0.0-beta4, from Fedora 12. It looks like this has
since been fixed.
> In older versions of OpenSSL (<1.0.0-beta2), the failure mode is
> actually "... we'll free your carefully pre-generated stack in *ca but
> for extra fun, we leave *ca pointing to the now-freed memory". Which is
> the bug that I tripped over.
We should either backport the whole fix to the 0.9.8 branch, or at the
very least do this:
--- crypto/pkcs12/p12_kiss.c5 Nov 2008 18:36:46 - 1.20.2.1
+++ crypto/pkcs12/p12_kiss.c9 May 2010 12:27:42 -
@@ -134,7 +134,10 @@ int PKCS12_parse(PKCS12 *p12, const char
if (pkey && *pkey) EVP_PKEY_free(*pkey);
if (cert && *cert) X509_free(*cert);
- if (ca) sk_X509_pop_free(*ca, X509_free);
+ if (ca) {
+ sk_X509_pop_free(*ca, X509_free);
+ *ca = NULL;
+ }
return 0;
}
--
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com Intel Corporation
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: PKCS12_parse() SEGV.
On Fri, 2010-05-07 at 23:37 +0200, Dr. Stephen Henson wrote: > > > If you pass a NULL for the final argument in PKCS12_parse() extra CA > certificates are ignored as it has nowhere to put them. > > If you pass a pointer to a NULL STACK_OF(X509) i.e do: > > STACK_OF(X509) *ca = NULL; > > and pass &ca it will allocate a stack and put the extra certs in ca. Ah yes, sorry -- of course. So what happens in 1.0.0-beta2 and later is that when the error happens, the stack pointed to by *ca (if any) is freed and *ca is set to NULL. Next time round the loop, the behaviour you describe kicks in, and everything works fine (for me). A new stack is allocated and the certificates are added to it. Although that's OK for my purposes, I think it's actually a bug. The man page for PKCS12_parse() says that *ca can be a valid stack, in which case additional certificates are appended to *ca. It _doesn't_ say "oh, but if parsing fails because the user fat-fingered the passphrase, we'll completely free your carefully pre-generated stack in *ca and set *ca to NULL" Surely it shouldn't be freeing the _original_ contents of the stack which was passed in *ca? Those should be preserved. In older versions of OpenSSL (<1.0.0-beta2), the failure mode is actually "... we'll free your carefully pre-generated stack in *ca but for extra fun, we leave *ca pointing to the now-freed memory". Which is the bug that I tripped over. -- dwmw2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse() SEGV.
On Fri, May 07, 2010, David Woodhouse wrote: > On Fri, 2010-05-07 at 19:24 +0200, Dr. Stephen Henson wrote: > > Setting ca to NULL if it fails should work. That should be done in > > PKCS12_parse() on error. > > AIUI I don't want it to be NULL; I need it to be an empty stack. I need > the returned 'extra' certs so that I can work around RT#1942 on the > server. > If you pass a NULL for the final argument in PKCS12_parse() extra CA certificates are ignored as it has nowhere to put them. If you pass a pointer to a NULL STACK_OF(X509) i.e do: STACK_OF(X509) *ca = NULL; and pass &ca it will allocate a stack and put the extra certs in ca. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse() SEGV.
On Fri, 2010-05-07 at 19:24 +0200, Dr. Stephen Henson wrote: > Setting ca to NULL if it fails should work. That should be done in > PKCS12_parse() on error. AIUI I don't want it to be NULL; I need it to be an empty stack. I need the returned 'extra' certs so that I can work around RT#1942 on the server. -- dwmw2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse() SEGV.
On Fri, May 07, 2010, David Woodhouse wrote: > With OpenSSL 0.9.8n this test program segfaults the second time it tries > to parse the PKCS#12 file. It was fixed for OpenSSL 1.0.0 by this > commit: http://cvs.openssl.org/chngview?cn=17957 > > Starting program: /home/dwmw2/p12test .cert/certificate.p12 > Enter PKCS#12 passphrase: > 140737353934504:error:23076071:PKCS12 routines:PKCS12_parse:mac verify > failure:p12_kiss.c:121: > Parse PKCS#12 failed (wrong passphrase?) > Enter PKCS#12 passphrase: > > Program received signal SIGSEGV, Segmentation fault. > __libc_free (mem=0x31) at malloc.c:3709 > 3709if (chunk_is_mmapped(p)) /* release mmapped > memory. */ > (gdb) bt > #0 __libc_free (mem=0x31) at malloc.c:3709 > #1 0x00417d5d in CRYPTO_free () > #2 0x0044396d in ASN1_STRING_free () > #3 0x0043f2cd in ASN1_primitive_free () > #4 0x0043f69f in ASN1_template_free () > #5 0x0043f586 in asn1_item_combine_free () > #6 0x0043f6d5 in ASN1_item_free () > #7 0x0042e2b4 in sk_pop_free () > #8 0x0045d643 in PKCS12_parse () > #9 0x00401c69 in main () > > My dirty workaround for now is just to add a deliberate memory leak in > my application just before the 'goto retry': > #if OPENSSL_VERSION_NUMBER < 0x1002 > ca = sk_X509_new_null(); > #endif > > Any better suggestions? > Setting ca to NULL if it fails should work. That should be done in PKCS12_parse() on error. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12_parse Issue?
On Thu, Jul 10, 2008, Christopher Ivory wrote:
> Hello all,
>
> I'm trying to run a loop to parse the same p12 multple times to take some
> metrics. However, after the loop completes twice succesfully, PKCS12_parse
> fails. Any suggestions as to why this is happening?
>
> -Chris
>
> while(count > 0){
>
> /* Parse the PKCS #12 file with password */
>
> ca = (STACK_OF(X509) *)NULL;
> if (!PKCS12_parse(p12, "password", &pkey, &cert, &ca))
> {
> printf("Error parsing file\n");
> return -3;
> }
>
> /* Find PKey */
> if ( (EVP_PKEY *)NULL == pkey ){
> //printf("No private key!\n");
> }
> else{
> //printf("Private key found!\n");
> }
>
> /* Find Cert */
> if ( (X509 *)NULL == cert ){
> //printf("No X509!\n");
> }
> else{
> //printf("X509 found!\n");
> }
>
> /* Find CA */
> if ( (STACK_OF(X509) *)NULL == ca ){
> //printf("No CA!\n");
> }
> else{
> //printf("CA found!\n");
> }
> count--;
> EVP_PKEY_free(pkey);
> X509_free(cert);
> sk_X509_pop_free(ca, X509_free);
>
> }//end while
Try the FAQ for details of how to get a more meaningful error code.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: PKCS12_parse() fails (0.9.8.)
On Tue, Jul 19, 2005, Milan Tomic wrote: > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Milan Tomic > Sent: Monday, July 18, 2005 1:20 PM > To: openssl-users@openssl.org > Subject: PKCS12_parse() fails (0.9.8.) > > > > > PKCS12_parse() fails (returns 0) in my case, although > PKCS12_verify_mac() succeed (return 1). > > I have tried to export cert & key into .pfx file in two ways: > - using Internet Explorer GUI, > - using java's keytool. > > but still the same. What should I do? :( > What happens when you use the pkcs12 utility on the file? For example: openssl pkcs12 -in file.pfx -out file.pem Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PKCS12_parse() fails (0.9.8.)
Milan Tomic wrote: PKCS12_parse() fails (returns 0) in my case, although PKCS12_verify_mac() succeed (return 1). I have tried to export cert & key into .pfx file in two ways: - using Internet Explorer GUI, - using java's keytool. but still the same. What should I do? :( does ERR_print_errors give you more information ? Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: PKCS12_parse() fails (0.9.8.)
Title: Message Can someone give me a hand with this problem? :) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Milan TomicSent: Monday, July 18, 2005 1:20 PMTo: openssl-users@openssl.orgSubject: PKCS12_parse() fails (0.9.8.) PKCS12_parse() fails (returns 0) in my case, although PKCS12_verify_mac() succeed (return 1). I have tried to export cert & key into .pfx file in two ways: - using Internet Explorer GUI, - using java's keytool. but still the same. What should I do? :(
Re: PKCS12_parse problem
On Wed, Oct 23, 2002, Marco Donati wrote: > Adding OpenSSL_add_all_ciphers() or OpenSSL_add_all_digests() doesn't help. > > If we comment out the OpenSSL_add_all_algorithms() call, we get the ''correct'' >error: > > << > 5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown digest >algorithm:p12_mutl.c:80: > 5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac generation error:p12_mutl.c:105: > 5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure:p12_kiss.c:121: > >> > > If we put the OpenSSL_add_all_algorithms() back in the code we get the >''unexplained'' error: > > << > 5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80: > 5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105: > 5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121: > >> > > Let me underline again some facts: > > 1) the first call to PKCS12_parse is ok > > 2) the PKCS12_parse calls starting from the second reports the error above > > 3) if we restart the application we have the same behavior (first call OK, then >errors) > > 4) the error happens only with OpenSSL 0.9.6g, NOT with OpenSSL 0.9.6c (we haven't >tried intermediate versions) > > 5) with openSSL 0.9.6g we get ''similar'' (related?) error in calls like > Are you calling EVP_cleanup() in between calls? You should really only call OpenSSL_add_all_algorithms() once on application startup and EVP_cleanup() when it shuts down. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
