OK,I'd like to report this as a bug to the IBM ikeyman folks. However, when I look at PKCS#12 v1 (http://www.rsasecurity.com/rsalabs/node.asp?id=2138) I don't see any discussion of this limitation of the localKeyID field. Is there a newer spec I should be looking at?
BTW - the link on your FAQ Q. Where can I get technical documentation on this stuff? A. If you want info about my implementation see docs/pk12api.doc and docs/pkcs12.doc. Latest PKCS#12 Specification. gives a 404. (and where can I find docs/pk12api.doc and docs/pkcs12.doc?) Additionally, I will need to parse such 'broken' files, so will need to update PKCS12_parse for my own use, to find the first private key and the cert that matches it, regardless of localKeyID in other certs or the order or the certs/key. Would you be interested in that update? (It could change the behaviour of the function for files with multiple key/cert pairs in it). Paul -- Paul Ford-Hutchinson, CISSP : eCommerce application security e: [EMAIL PROTECTED] p: MPT-6, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5JL t: +44 (0)1926 462005 w: http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html "Stephen Henson via RT" <[EMAIL PROTECTED]> Sent by: <[EMAIL PROTECTED]> 05/04/2005 18:35 Please respond to rt To Paul V Ford-Hutchinson/UK/GINTL/[EMAIL PROTECTED] cc openssl-dev@openssl.org Subject [openssl.org #1034] bug report (and fix): PKCS12_parse returns incorrect cert That looks like a highly broken PKCS#12 file. The localKeyID attribute is supposed to be only used between the private key and corresponding certificate. In that case *every* certificate has a matching localKeyID. Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]