RE: openSSL and PKCS #12 certificates

Tue, 13 Apr 2010 10:01:40 -0700 

Mounir,
Thank you so much for your answer.

I did extract the key into a pem file (using command: c:\openssl\bin\openssl
pkcs12 -in cert.pfx -nocerts -out cert_key.pem), and tried to connect using
the key file as output.  It got further along in the process - I was
prompted to enter my PEM pass phrase - but a different error came up:

  File "C:\python26\lib\ssl.py", line 113, in __init__
    cert_reqs, ssl_version, ca_certs)
ssl.SSLError: [Errno 336445449] _ssl.c:351: error:140DC009:SSL
routines:SSL_CTX_use_certificate_chain_file:PEM lib

Would you have any insight in regards to the problem here?


I should also note that while I was creating the key file, I noticed that I
was prompted to "Enter Import Password", but also to "Enter PEM pass
phrase".  Does this mean the private key found in the pfx file is actually
in PEM format to begin with?  Does this change your advice at all?

Regards,
Remi.


-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Mounir IDRASSI
Sent: April 13, 2010 11:29 AM
To: openssl-users@openssl.org
Subject: Re: openSSL and PKCS #12 certificates

Hi,

OPENSSL supports PKCS#12 files. Look at the header pkcs12.h that 
contains functions for parsing and exporting private keys and 
certificates from a PKCS#12 file (like d2i_PKCS12 and PKCS12_parse).

Concerning the error you are getting, it appears that the phython module 
you are using is calling SSL_CTX_use_PrivateKey_file by giving it the 
PKCS#12 file name. This is does not because SSL_CTX_use_PrivateKey_file 
only accepts two formats : SSL_FILETYPE_PEM and SSL_FILETYPE_ASN1.
In order to correct this, you have two solutions :
- Either feed the python module with the private key in a PEM file.
- Or modify the source code of this python module in order to use the 
PKCS#12 functions I mentioned above to extract the private key as an 
EVP_PKEY and then call SSL_use_PrivateKey instead of 
SSL_CTX_use_PrivateKey_file, along with SSL_use_certificate for setting 
the associated certificate.

The first solution is the easiest because you can simply use the OPENSSL 
command line utility in order to extract the private key and its 
certificate from the PKCS#12 file as PEM files and then give them as 
input to your python module.

I hope this will help.
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr


On 4/13/2010 2:55 PM, Rémi Després-Smyth wrote:
> Hello.
>
> I’ve been trying to setup client authentication using a PKCS #12
> certificate, and I’ve been having some trouble.  I’m trying to determine
> whether its because its something unsupported in openSSL, or if it’s a
> problem with the wrapper library I’m using (Python’s httplib).  I’d
> appreciate it if anyone might be able to provide some insight.
>
>
>
> I’m getting an error raised by the openSSL library when the wrapper class
is
> trying to instantiate and wrap a socket, and from what I’ve been able to
> gather to-date, the error appears to be coming from openSSL:
>
>
>
> Ssl.SSLError: [Errno 336265225] _sll.c:337: error:140B0009:SSL
> routines:SSL_CTX_use_PrivateKey_file:PEM lib
>
>
>
> Is PKCS #12 supposed to be supported by openSSL?  I would guess yes; I dug
> around in the source and found that “PEM lib” is the error text for
> ERR_R_PEM_LIB (defined in err_str.c), and I also noticed ERR_R_PKCS12_LIB
in
> there.  This gives me the impression that openSSL is incorrectly trying to
> load the PKCS #12 cert as a PEM cert, and thus the error – which leads me
to
> believe that the wrapper library may not be calling openSSL properly, if
> PKCS #12 certificates should be supported.  (Otherwise, why would openSSL
be
> returning an error related to PEM certs and not PKCS #12 certs?)
>
>
>
> Can anyone tell me whether or not openSSL should be able to work with
> PKCS#12 certs?  Any advice anyone might have is welcome. (Sorry if this is
> vague; this is the first time I dig into the openSSL project.)
>
>
>
> The certificate appears correct, as I’ve tested it by adding it to MSIE
and
> Firefox and I’m able to connect to the server.
>
>
>
> Regards,
>
> Remi.
>
>
>
>
>    

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to