Private keys and PKCS#12
I've solved my problem and I'd like to thank everybody who wrote me. I modified my low level sequence (the code I posted) to build a pkcs12 bundle with one bag, keeping "shrouded" private key, so i used PKCS12_MAKE_SHKEYBAG/PKCS12_pack_p7data INSTEAD of PKCS12_MAKE_KEYBAG/PKCS12_pack_p7encdata. Maybe I didn't explain the problem clearly, sorry. It seems to work. Thanks to Qun-Ying, but I prefer not to modify the Open-SSL original code so that i will be able to upgrade in the future with minor changes. Thank you -- Marco Donati Context Security - Software P.zza Liberazione, 25 - 20013 Magenta (MI) Phone: ++39-02-97291291, Fax: ++39-02-97298225 E-Mail: [EMAIL PROTECTED], Web site:http://www.csg.it -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Private keys and PKCS#12
Marco Donati wrote: I've solved my problem and I'd like to thank everybody who wrote me. I modified my low level sequence (the code I posted) to build a pkcs12 bundle with one bag, keeping "shrouded" private key, so i used PKCS12_MAKE_SHKEYBAG/PKCS12_pack_p7data INSTEAD of PKCS12_MAKE_KEYBAG/PKCS12_pack_p7encdata. Maybe I didn't explain the problem clearly, sorry. It seems to work. Thanks to Qun-Ying, but I prefer not to modify the Open-SSL original code so that i will be able to upgrade in the future with minor changes. I hope to extend the PKCS12_create() and PKCS12_parse() routines in future so they can generate PKCS#12 files with multiple keys and certificates and which don't necessarily have matching keys and certificates. Netscape PSM is starting to use such things and it would be nice if OpenSSL had a simple API that could handle them. So in future this should be much easier. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Private Keys and PKCS#12
Marco Donati wrote: I generate the key, then use it to sign a certificate request (PKCS#10). The PKCS#10 is sent to a CA. When the certificate is issued by the CA it is downloaded (via LDAP) and stored into the original P12 with its key I need it in PKCS12 for compatibility with onother application. You may create a PKCS12 file without a cert. But I am not sure how well it works regards with compatibility and not sure whether it will break anything. I modified the origin p12_crt.c to remove the requiement of a cert. You can see from the attached file that I just commented out the cert. related code. -- (~._.~) Öì Ⱥ Ó¢ (Qun-Ying) (65) 874-6743 ( O ) TrustCopy Pte Ltd / Kent Ridge Digital Labs ()~*~() 21 Heng Mui Keng Terrace, Singapore 119613 (_)-(_)[EMAIL PROTECTED] * [EMAIL PROTECTED] p12_crt.c
Re: Private Keys and PKCS#12
Marco Donati wrote: PKCS#12 files under OpenSSL are intended to have a key and a matching certificate. AFAIK the same is true of Windows and Netscape import/export routines. yes, but what if you stil have to request it to a CA... What do you want a private key alone in PKCS#12 format for? I generate the key, then use it to sign a certificate request (PKCS#10). The PKCS#10 is sent to a CA. When the certificate is issued by the CA it is downloaded (via LDAP) and stored into the original P12 with its key Well the PKCS#12 file would need to be rebuilt, you can't just add things. As such it wouldn't matter what form the private key was in as long as it was added to a PKCS#12 file when the CA returned the certificate. If you want to save an encrypted private key separately I suggest you try something like PKCS#8. I need it in PKCS12 for compatibility with onother application. So your other application specifically needs a PKCS#12 file with a private key and no certificate? Hmmm. I think the only way to do this is via the low level routines, say modifying the PKCS12_create() function as has been suggested. You may not be able to use PKCS12_parse() on the resulting file but the 'pkcs12' application should work. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
