Title: PKCS #12
Dear OpenSSL Developers,
I need to generate PKCS#12 private key files from CryptoApi Key Containers. I'd tried to use Xenroll, OpenSSL and the RSA's PKCS#12 specification, but the files I'm generating have not been recognized as valid pkcs#12 files by anot
On Mon, Apr 22, 2002 at 05:24:04PM -0300, Raphael Amorim wrote:
> I need to generate PKCS#12 private key files from CryptoApi Key
> Containers. I'd tried to use Xenroll, OpenSSL and the RSA's PKCS#12
> specification, but the files I'm generating have not been recognized
gt;On Mon, Apr 22, 2002 at 05:24:04PM -0300, Raphael Amorim
> wrote:
>> I need to generate PKCS#12 private key files from
> CryptoApi Key
>> Containers. I'd tried to use Xenroll, OpenSSL and the
> RSA's PKCS#12
>> specification, but the files I'm generating
On Tue, Apr 23, 2002 at 02:05:15PM -0500, raphael amorim wrote:
> They're using OpenSSL.
>
> By the way, you know how to use the pkcs12 command passing
> the container name(key pair holder in CryptoAPI) as -name
> parameter to obtain a .p12 file?
??? I don't know CryptoAPI.
The -name option i
I've read one of the primary objective is to include support
for the PKCS#12. I've had some contact with Dr. Stephen
Henson about his software:
-
Massimiliano Pala wrote:
>
> Hi!
>
> I have a question re
Further to my announcement a few days ago I've now completed most of the
PKCS#12 integration into OpenSSL. The latest snapshots include a new
'pkcs12' application linked into openssl and all my PKCS#12 library
code. Usage is:
openssl pkcs12 [pkcs12 options]
where [pkcs12 options
I am actually quite new to the Crypto world, just about 2 months. While reading
Peter Gutmann's article on breaking PKCS#12 formatted file, I am wondering is
the implementation of OpenSSL's PKCS#12 routines subject to the same attack.
What's the most secure format could be used u
I've just uploaded version 0.54 of my PKCS#12 program for OpenSSL and
SSLeay. It compiles under OpenSSL 0.9.1c, 0.9.2 and SSLeay 0.9.X.
You can download it at:
http://www.drh-consultancy.demon.co.uk/pkcs12-054-tar-gz.bin
This version fixes a typo in 0.53 which meant the -keyex and -k
zhu qun-ying wrote:
>
> I am actually quite new to the Crypto world, just about 2 months. While reading
> Peter Gutmann's article on breaking PKCS#12 formatted file, I am wondering is
> the implementation of OpenSSL's PKCS#12 routines subject to the same attack.
> What
> I supplied some of the info for that article and I wrote PKCS#12 for
> OpenSSL so I'd say yes OpenSSL PKCS#12 implementation is reasonably
> secure with the usual precautions, i.e. not picking obvious or guessable
> passwords.
>
> OpenSSLs implementation uses high mac a
zhu qun-ying wrote:
>
>
> Thank you for your clearence. There are still some information that I want to
> know. Is the default setting to PKCS12_create() will be sufficient? Or do I need
> to increase the mac_iter and nid_cert ciper to 3DES-CBC?
>
They should be sufficient. Certificates are us
> They should be sufficient. Certificates are usually public knowledge
> anyway so using weak or no encryption on them is harmless but if you
> want to use strong encryption on it you can, however some of the older
> export browsers wont import 3DES encrypted certificates.
>
> Steve.
My concern i
finding out the private key scret key.
> What's the effect on increasing mac_iter, does it worse the iteration?
>
The larger the value the more work is involved in checking the mac
value,
and the harder it is for an attacker to run through large quantities of
candidate passwords on the
I've just uploaded v0.53a of my PKCS#12 program. It should compile under
the latest OpenSSL tree. It probably will *not* compile under OpenSSL
0.9.1X.
It will compile under SSLeay still.
It's still under test and OpenSSL may change to break it so consider it
"experimental".
Hmm lets try this again...
I've just uploaded v0.53a of my PKCS#12 program. It should compile under
the latest OpenSSL tree. It probably will *not* compile under OpenSSL
0.9.1X.
It will compile under SSLeay still.
It's still under test and OpenSSL may change to break it so c
Note to any developers using the CVS snapshots. I am currently engaged
in the integration of my PKCS#12 program into OpenSSL.
This will be a gradual process over several days (weeks?) while I
consider where the stuff should go, which compatability stuff to remove
etc etc.
During this time it
Title: Message
Hi
all
I try to create a
pkcs#12 with several secret bags.
I haven't found any
sample which indicates how to do this and especially how to create a secret
bag.
I try the following
code, but it doesn't work :
PKCS12_SAFEBAG
*safebag; ASN1_OCTET_STRING *os;
I have a key file and a cert file with one certificate (signed by a CA).
All I want to do is "combine" these two files in a PKCS#12 file.
Does anyone know how to perform this relatively "simple" task (which
functions must be called)?
I have looked in the pkcs12.c file, but i
Dr Stephen Henson wrote:
>
> Hmm lets try this again...
What was wrong with the first attempt?
Cheers,
Ben.
--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition
On Mon, Jun 23, 2003, Claude CONVERT wrote:
> Hi all
> I try to create a pkcs#12 with several secret bags.
> I haven't found any sample which indicates how to do this and especially how
> to create a secret bag.
> I try the following code, but it doesn't work :
>
CONVERT,
> -Message d'origine-
> De : Dr. Stephen Henson [mailto:[EMAIL PROTECTED]
> Envoyé : mardi 24 juin 2003 23:26
> À : [EMAIL PROTECTED]
> Objet : Re: pkcs#12 creation with secret bags
>
>
> On Mon, Jun 23, 2003, Claude CONVERT wrote:
>
> > Hi all
On Wed, Jul 09, 2008 at 04:14:28PM +0100, Joe Orton wrote:
> On Tue, Jul 08, 2008 at 12:03:15PM +1000, Paul Cuthbert wrote:
> > Subversion 1.5.0 (and probably earlier) is unable to handle client
> > PKCS#12 files that are generated using the Bouncy Castle cryptographic
&g
On Tue, Jul 08, 2008 at 12:03:15PM +1000, Paul Cuthbert wrote:
> Subversion 1.5.0 (and probably earlier) is unable to handle client
> PKCS#12 files that are generated using the Bouncy Castle cryptographic
> toolkit (Java version 139, see
> http://www.bouncycastle.org/latest_r
+1000, Paul Cuthbert wrote:
Subversion 1.5.0 (and probably earlier) is unable to handle client
PKCS#12 files that are generated using the Bouncy Castle
cryptographic
toolkit (Java version 139, see
http://www.bouncycastle.org/latest_releases.html). These P12 files
can
be handled fine by Microso
Hellan,Kim KHE wrote:
>
> I have a key file and a cert file with one certificate (signed by a CA).
> All I want to do is "combine" these two files in a PKCS#12 file.
> Does anyone know how to perform this relatively "simple" task (which
> functions must be
rtificates and all give the same
error, and yet all appear find when using the openssl tool. Even a PEM
certificate which works fine, when converted to pkcs#12 format fails.
I am using version Openssl 0.9.3a, and the same thing happens on NT,
Solaris and OSF1.
Any ideas would be greatly appreciate
James Darwin wrote:
>
> Hi,
>
> I am having trouble using the "X509* ssl_public_cert" created from the code
> at the end of this message. This code runs fine without error, but when I
> call:
>
[stuff deleted]
>if (!PKCS12_parse(p12, pass_key, &pkey, &cert, NULL)) {
>dce_sv
On Wed, 2016-08-24 at 18:55 +0100, Dr. Stephen Henson wrote:
> commit 647ac8d3d7143e3721d55e1f57730b6f26e72fc9
>
> OpenSSL versions before 1.1.0 didn't convert non-ASCII
> UTF8 PKCS#12 passwords to Unicode correctly.
>
> To correctly decrypt older files, if MAC verifi
efore 1.1.0 didn't convert non-ASCII
>> UTF8 PKCS#12 passwords to Unicode correctly.
>>
>> To correctly decrypt older files, if MAC verification fails
>> with the supplied password attempt to use the broken format
>> which is compatible with earlier versions of OpenS
gt; > >
> > > commit 647ac8d3d7143e3721d55e1f57730b6f26e72fc9
> > >
> > > OpenSSL versions before 1.1.0 didn't convert non-ASCII
> > > UTF8 PKCS#12 passwords to Unicode correctly.
> > >
> > > To correctly decrypt older files, if MA
On Mon, 2016-08-29 at 18:40 +0100, David Woodhouse wrote:
>
> So... let's have a password 'nałve', in a ISO8859-2 environment where
> that is represented by the bytes 6e 61 b3 76 65.
>
> First I should try the correct version according to the spec:
> 006e 0061 0142 0076 0065
>
> Then we try the
> So let's try a better example. The password is "ĂŻ" (U+0102 U+017b),
> and the locale (not that it *should* matter) is ISO8859-2.
When it comes to locale in *this* case you should rather wonder what
does your terminal emulator program do and how does it interact with
your shell. Because these tw
about
> how string is composed by *somebody else*. That's why I said that "we
> assume that you don't change locale when you upgrade OpenSSL".
I'm talking about how other libraries should attempt to read the
PKCS#12 files created by OpenSSL. In my code I have the
had. Or the whole set of "we treated local
> X as if it were UTF-8" bugs that the new code has.
Yes.
> So for other applications to try to read OpenSSL's PKCs#12 files, what
> we need to do is first convert the sane Unicode rendition of the
> password into the native
On Tue, 2016-08-30 at 12:38 +0200, Andy Polyakov wrote:
> > So for other applications to try to read OpenSSL's PKCs#12 files, what
> > we need to do is first convert the sane Unicode rendition of the
> > password into the native locale charset (e.g. Windows-1252), then take
Hi,
I would like to eliminate the ambiguities concerning internationalized
passwords in PKCS#8 and PKCS#12 files. I plan to propose an update to
the PKCS#5, PKCS#12 documents mandating UTF-8 and
requiring the RFC7613 OpaqueString profile. I'm interested on openssl
developers opinion on the
Not a project goal, but still neat work.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager
I am trying to connect to IIS 5.0 with Personal Information Exchange -
PKCS#12 (.PFX) certificate.
The server returned message 'The client certificate is untrusted or
corrupt'. IIS 5.0 server is tuned as
require user certificate. Certificate I passed to the server is registered
ther
openssl pkcs12 -export -in _.pem -nodes -out _.p12
generates PFX DER data with MacData in which empty password is used
incorrectly, violating following quote from Chapter B, section B.2, item
3 of PKCS#12 standard [1]:
"Note that if the password is the empty string, then so
I can't list PKCS#12 file information when it is encrypted with
AES-256-CBC with PKCS#5 v2.0 PBE
openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj
/CN=localhost -nodes -batch
openssl pkcs12 -export -out bundle.p12 -in localhost.key -nocerts -passout
pass: -name s
Thanks for the report, fixed now in master and 1.0.2.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4588
Please log in as guest with password guest if
openssl pkcs12 -export -in _.pem -nodes -out _.p12
generates PFX DER data with MacData in which empty password is used
incorrectly, violating following quote from Chapter B, section B.2, item
3 of PKCS#12 standard [1]:
"Note that if the password is the empty string, then so is P."
> [EMAIL PROTECTED] - Fri Mar 02 09:58:13 2007]:
>
> openssl pkcs12 -export -in _.pem -nodes -out _.p12
>
> generates PFX DER data with MacData in which empty password is used
> incorrectly, violating following quote from Chapter B, section B.2, item
> 3 of PKCS#12 sta
Stephen Henson via RT wrote:
[EMAIL PROTECTED] - Fri Mar 02 09:58:13 2007]:
openssl pkcs12 -export -in _.pem -nodes -out _.p12
generates PFX DER data with MacData in which empty password is used
incorrectly, violating following quote from Chapter B, section B.2, item
3 of PKCS#12
This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
On Tuesday, 19 July 2016 12:07:33 CEST Stephen Henson via RT wrote:
> Thanks for the report, fixed now in master and 1.0.2.
>
> Steve.
Thanks!
I have few questions now though:
I've noticed that 1.0.2 uses sha1 hmac for the PRF while the master
uses sha256
is there a way to set this?
also, is
On Tue, Jul 19, 2016, Hubert Kario wrote:
> I have few questions now though:
>
> I've noticed that 1.0.2 uses sha1 hmac for the PRF while the master
> uses sha256
>
> is there a way to set this?
>
Not currently no (at least not from the command line, maybe by delving
into the pkcs12 internals)
onding to the MAC though.
something like this?
https://github.com/openssl/openssl/pull/1334
the small problem is that this prints:
MAC algorithm: sha1,
I'm not sure how correct is that (haven't read the PKCS#12 standard)
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Se
48 matches
Mail list logo
