Re: [opensc-devel] converting .p15 files to X.509 or .p12

Sat, 18 Nov 2006 18:36:45 -0800 

On Fri, 2006-11-17 at 22:41 +0100, Nils Larsch wrote:
> John T. Guthrie III wrote:
> > Hello all,
> > 
> > The following may sound like a rather strange question.  First a bit of
> > background.  The company that I work for recently acquired some APC 7931 
> > power
> > distribution units.  These PDUs are quite nice for what they do, and they 
> > are
> > quite nicely managable.  However, in order to put keys and certs onto these
> > (for things like HTTPS and SSH), you have to use this wizard under Windows
> > that generates a file in PKCS #15 format right in the file system.  (Yes, 
> > you
> > read that correctly.)  In the case of SSH host keys, you just export these
> > files onto the PDU.  In the case of certificates, what you get is a private
> > key in a .p15 file (That is, a file in PKCS #15 format.), and a certificate
> > request in X.509 format.  After you get the signed request back in X.509
> > format, the wizard generates yet another .p15 file that contains both the
> > cert and the private key.  You can then export this onto the PDU.  This all
> > works fine, but sometimes I would like to be able to do this under linux 
> > using
> > openssl or something similar.  Unfortunately, openssl doesn't handle .p15
> > files.  opensc/openct expect the PKCS #15 data to come from a physical
> > smart card, not a file in the file system.  Does anyone on this list know of
> > a way to convert between X.509/PKCS #12 data and PKCS #15 data without using
> > a smart card?
> 
> Could you send me such a file ?

Sorry, I totally spaced, and forgot to offer that.  Attached at the end
of this email are actually three of these files.  They are named
ssh_host_key.p15, certificate_private_rsa_key.p15, and
certificate_and_key.p15.  The first one should be self-explanatory.  The
second one contains a freshly created RSA key that a certificate signing
request has been created for.  The last one contains that RSA private
key and a signed certificate.  (I signed it using a private CA.)  All of
these .p15 files were created by APC's security wizard application.  If
you are really interested, it looks like you can download it from here:

https://www.apcc.com/tools/download/software_comp.cfm?sw_sku=SFNMCSECWIZ211&tsk=f817x

However, it will require a registration, so that might not be desirable.
(I was able to download it after registering.)

If you are able to extract the certificate and keys, here are some
fingerprints:

--- Host Key's Fingerprints ---
SSHv1: EB:93:1F:FC:53:76:9C:AF:61:C2:DA:DD:B6:D2:39:1D
SSHv2: 39:24:07:3E:0B:C5:D8:43:53:4A:8F:E5:84:7E:29:23

--- Certificate's General Information ---
SHA Fingerprint:
4D:FB:85:3F:F9:E1:EF:43:05:36:BA:AB:DC:C7:DD:46:76:65:46:E4
MD5 Fingerprint: 53:A5:F4:4E:4F:E2:74:81:27:28:75:D8:44:9D:FF:55

On Fri, 2006-11-17 at 16:17 -0500, Chaskiel M Grundman wrote: 
> pkcs15 does define file formats (for smart cards that use "transparent" 
> files), but "a file in PKCS #15 format" is nonsensical. At the very least, 
> there are multiple file formats depending on what sort of data you are 
> storing. A first step in figuring out what these files are is determining 
> if they are, in fact, asn.1 structures. use "openssl asn1parse -inform DER 
> -in <file>" and we should be able to tell based on the structure and OIDs 
> if the format actually comes from PKCS #15

I could easily be mistaken about the relationship of these files to PKCS
#15, if any.  I'm really going on the fact that the application won't
save a file unless it has a .p15 extension.  (That and the fact that
these files are being used in a security context.)
For the file with the certificate and private key and the host key file,
I get the following error:

    0:d=0  hl=2 l=   0 prim: BOOLEAN           Bad boolean
20098:error:0D08E06A:asn1 encoding routines:d2i_ASN1_BOOLEAN:boolean is
wrong length:a_bool.c:110:

However, for the file that contains just an RSA private key, I get the
following output:

    0:d=0  hl=4 l=1102 cons: SEQUENCE          
    4:d=1  hl=2 l=  10 prim: OBJECT            :1.2.840.113549.1.15.3.1
   16:d=1  hl=4 l=1086 cons: cont [ 0 ]        
   20:d=2  hl=4 l=1082 cons: SEQUENCE          
   24:d=3  hl=2 l=   1 prim: INTEGER           :00
   27:d=3  hl=4 l=1075 cons: SEQUENCE          
   31:d=4  hl=4 l= 841 cons: cont [ 0 ]        
   35:d=5  hl=4 l= 837 cons: cont [ 0 ]        
   39:d=6  hl=4 l= 833 cons: SEQUENCE          
   43:d=7  hl=2 l=  13 cons: SEQUENCE          
   45:d=8  hl=2 l=  11 prim: UTF8STRING        
   58:d=7  hl=2 l=  33 cons: SEQUENCE          
   60:d=8  hl=2 l=  20 prim: OCTET STRING      [HEX
DUMP]:91C53EA04F53F34AEF34C72C46919EF19C8D8D13
   82:d=8  hl=2 l=   2 prim: BIT STRING        
   86:d=8  hl=2 l=   1 prim: BOOLEAN           :0
   89:d=8  hl=2 l=   2 prim: BIT STRING        
   93:d=7  hl=4 l= 779 cons: cont [ 1 ]        
   97:d=8  hl=4 l= 775 cons: SEQUENCE          
  101:d=9  hl=4 l= 767 cons: cont [ 2 ]        
  105:d=10 hl=2 l=   1 prim: INTEGER           :02
  108:d=10 hl=2 l= 105 cons: SET               
  110:d=11 hl=2 l= 103 cons: cont [ 3 ]        
  112:d=12 hl=2 l=   1 prim: INTEGER           :00
  115:d=12 hl=2 l=  27 cons: cont [ 0 ]        
  117:d=13 hl=2 l=   9 prim: OBJECT            :PBKDF2
  128:d=13 hl=2 l=  14 cons: SEQUENCE          
  130:d=14 hl=2 l=   8 prim: OCTET STRING      [HEX
DUMP]:85560626DABDA934
  140:d=14 hl=2 l=   2 prim: INTEGER           :03E8
  144:d=12 hl=2 l=  35 cons: SEQUENCE          
  146:d=13 hl=2 l=  11 prim:
OBJECT            :1.2.840.113549.1.9.16.3.9
  159:d=13 hl=2 l=  20 cons: SEQUENCE          
  161:d=14 hl=2 l=   8 prim: OBJECT            :des-ede3-cbc
  171:d=14 hl=2 l=   8 prim: OCTET STRING      [HEX
DUMP]:BE38E61B021D079D
  181:d=12 hl=2 l=  32 prim: OCTET STRING      [HEX
DUMP]:1FDECE0DEA32A8B72E29C0522AD28C45E8BB7FDD203C0ABCB6242A03C0DADE0D
  215:d=10 hl=4 l= 653 cons: SEQUENCE          
  219:d=11 hl=2 l=   9 prim: OBJECT            :pkcs7-data
  230:d=11 hl=2 l=  20 cons: SEQUENCE          
  232:d=12 hl=2 l=   8 prim: OBJECT            :des-ede3-cbc
  242:d=12 hl=2 l=   8 prim: OCTET STRING      [HEX
DUMP]:E224212955320531
  252:d=11 hl=4 l= 616 prim: cont [ 0 ]        
  872:d=9  hl=2 l=   2 prim: INTEGER           :80
  876:d=4  hl=3 l= 227 cons: cont [ 1 ]        
  879:d=5  hl=3 l= 224 cons: cont [ 0 ]        
  882:d=6  hl=3 l= 221 cons: SEQUENCE          
  885:d=7  hl=2 l=  13 cons: SEQUENCE          
  887:d=8  hl=2 l=  11 prim: UTF8STRING        
  900:d=7  hl=2 l=  33 cons: SEQUENCE          
  902:d=8  hl=2 l=  20 prim: OCTET STRING      [HEX
DUMP]:91C53EA04F53F34AEF34C72C46919EF19C8D8D13
  924:d=8  hl=2 l=   2 prim: BIT STRING        
  928:d=8  hl=2 l=   1 prim: BOOLEAN           :0
  931:d=8  hl=2 l=   2 prim: BIT STRING        
  935:d=7  hl=3 l= 168 cons: cont [ 1 ]        
  938:d=8  hl=3 l= 165 cons: SEQUENCE          
  941:d=9  hl=3 l= 162 cons: cont [ 0 ]        
  944:d=10 hl=3 l= 159 cons: SEQUENCE          
  947:d=11 hl=2 l=  13 cons: SEQUENCE          
  949:d=12 hl=2 l=   9 prim: OBJECT            :rsaEncryption
  960:d=12 hl=2 l=   0 prim: NULL              
  962:d=11 hl=3 l= 141 prim: BIT STRING        

I hope this helps.

Thank you very much again to everybody for their help.

-- 
John Guthrie
[EMAIL PROTECTED]

Attachment: ssh_host_key.p15
Description: Binary data

Attachment: certificate_private_rsa_key.p15
Description: Binary data

Attachment: certificate_and_key.p15
Description: Binary data

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to