[openssl-users] Combining certificate and key in PEM format into a P12 file without knowing the key password?
Tobias Dussa (SCC)
tobias.dussa at kit.edu
Tue Feb 20 16:33:38 UTC 2018
On Wed, Feb 21, 2018 at 01:04:17AM +0900, Frank Migge wrote:
> >> the question remains: Is there a way to reuse an already-encrypted privkey?
> I'd say yes it *could* work, but not with OpenSSL API functions. You'd
> have to roll your own code for the PKCS12 creation.
> OpenSSL's PKCS12_create() function expects an unencrypted EVP_PKEY
> object. But, internally, that key is turned into a encrypted PKCS8
> structure, as expected by the PKCS8ShroudedKeyBag type defined in RFC-7292.
That's about what I thought I figured out, yeah. :)
> Thats why I think it may be possible to experiment and modify code such
> as in crypto/pkcs12/p12_crt.c, trying to pass-through that already
> encrypted PKCS8 key "as-is" straight into the pkcs8ShroudedKeyBag
> object. If your key is a file in PEM format, you'd need to get that into
> an internal structure first (more coding), I don't think there is a
> simple API import (without decryption).
> If you manage to successfully built that PKCS12, you'd run into trouble
> for decoding, which probably fails for all known software. They all
> expect to be able to read the private key, when in your case it needs
> saving to a file somewhere for further handling, or for entering that
> second key-specific password. You'd again have to code your own PKCS12
> unpack program, just for this specific use case.
> I may be wrong but to me it looks doable, just a *lot* of work.
... and that, unfortunately, is about what I concluded as well. Bummer. ;-)
But thanks a lot for your thoughts (also to Jakob and Viktor)! :)
To the systems programmer, users and applications serve only to provide
a test load.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6312 bytes
Desc: not available
More information about the openssl-users