Re: Interoperability problem of pkcs12 code of openssl with MSIE

Tue, 26 Dec 2000 04:40:49 -0800 

[EMAIL PROTECTED] wrote:
> 
> Hi
> 
> In openssl command line.
> >>pkcs12 -export -in temp.pem -keypbe PBE-MD5-DES -out temp.pfx
> 
> ,where temp.pem contains private key and corresponding self-signed certificate.
> 
> When I tried to import temp.pfx to MSIE, IE prompt an error message "wrong password"
> 

The most probable cause of this is that MSIE does not support
PBE-MD5-DES which is a PKCS#5 v1.5 password based encryption (PBE)
algorithm. Many PKCS#12 implementations only support PKCS#12 PBE
algorithms.

> So I changed openssl source code crypto/evp/e_des.c and rebuild libcrypto.a
> 
> original :
> static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
>            const unsigned char *in, unsigned int inl)
> {
>    des_ncbc_encrypt(in, out, (long)inl, ctx->c.des_ks,
>           (des_cblock *)ctx->iv, ctx->encrypt);
>    return 1;
> }
> modified :
> static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
>            const unsigned char *in, unsigned int inl)
> {
>    des_cbc_encrypt(in, out, (long)inl, ctx->c.des_ks,
>           (des_cblock *)ctx->iv, ctx->encrypt);
>    return 1;
> }
> 
> Then temp.pfx is imported to MSIE.
> 
> I think that mapping of object identifier of DES-CBC to coressponding function
> 
> is different from that of MSIE.
> 
> Openssl maps DES-CBC object identifier to des_ncbc_encrypt! Is it correct?
> 

Silly question: are you sure you used the -keypbe algorithm the second
time? Without that it uses triple DES for private key encryption which
would be unaffected by the change.

des_cbc_encrypt() does not update the IV and is not suitable for this
operation, des_ncbc_encrypt() does. Making that change will break
OpenSSL.

OpenSSLs PBE-MD5-DES implementation has been verified against a number
of other implementations with no problems.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to