[openssl-users] C++ : Extracting CRL from a PKCS12
Richard Stanek
richard.stanek at rockwellcollins.com
Mon Nov 14 20:38:44 UTC 2016
Thanks for looking at this. I was insisting that nobody (in practice)
puts CRLs inside of a PKCS12. Nobody does that... I could find no
evidence that this is ever done, nor was there any support for this
deviant behavior. ;-)
I was handed a specification to implement that had CRLs inside of
PKCS12. From the beginning, I doubted the writers of that
specification knew what they were doing. And I expect that they don't
have any test data, either.
Over the last few days, I had being doing exactly what you suggested,
a messy manual parsing process. I have achieved success in building a
PKCS12 with CRLs and success in parsing that PKCS12.
Again, thanks for looking at this and validating what I have been
thinking and feeling about putting CRLs into PKCS12s.
-Rick
On Mon, Nov 14, 2016 at 2:11 PM, Dr. Stephen Henson <steve at openssl.org> wrote:
> On Wed, Nov 02, 2016, Richard Stanek wrote:
>
>> My original requirements were to extract the user certificate, the
>> private key, and the CAs. For that I was using the call to
>> PKCS12_parse(...). This satisfied the original requirements. Very
>> easy to find, understand, and use.
>>
>> The new requirements that I have are that I also need to extract a CRL
>> from that PKCS12. I see that there is a CRLBag defined in the IETF
>> RFC 7292 PKCS12 Standard (https://tools.ietf.org/html/rfc7292), so I
>> know a CRL could exist inside a PKCS12. I can't seem to find any API
>> or C++ examples that extract a CRL from a PKSC12.
>>
>> Is there an API, example code, or advice on how to extract a CRL from a PKCS12?
>>
>
> I've never come across a PKCS#12 file containig a CRL before: would it be
> possible to send me a sample which obviously doesn't contain any important
> private keys.
>
> To answer your question, yes it is should be possible but it is messy. You
> need to parse the PKCS#12 file manually (see source to PKCS12_parse). In
> the funtion parse_bag you add an extra case for NID_crlBag and call
> PKCS12_SAFEBAG_get1_crl() on the bag, you should then get back an X509_CRL
> pointer or NULL on error.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users
mailing list