[openssl-users] Combining certificate and key in PEM format into a P12 file without knowing the key password?

Tobias Dussa (SCC) tobias.dussa at kit.edu
Tue Feb 20 16:33:38 UTC 2018


On Wed, Feb 21, 2018 at 01:04:17AM +0900, Frank Migge wrote:
> >> the question remains: Is there a way to reuse an already-encrypted privkey?
> I'd say yes it *could* work, but not with OpenSSL API functions. You'd
> have to roll your own code for the PKCS12 creation.
> OpenSSL's PKCS12_create() function expects an unencrypted EVP_PKEY
> object.  But, internally, that key is turned into a encrypted PKCS8
> structure, as expected by the PKCS8ShroudedKeyBag type defined in RFC-7292.

That's about what I thought I figured out, yeah. :)

> Thats why I think it may be possible to experiment and modify code such
> as in crypto/pkcs12/p12_crt.c, trying to pass-through that already
> encrypted PKCS8 key "as-is" straight into the pkcs8ShroudedKeyBag
> object. If your key is a file in PEM format, you'd need to get that into
> an internal structure first (more coding), I don't think there is a
> simple API import (without decryption).
> If you manage to successfully built that PKCS12, you'd run into trouble
> for decoding, which probably fails for all known software. They all
> expect to be able to read the private key, when in your case it needs
> saving to a file somewhere for further handling, or for entering that
> second key-specific password.  You'd again have to code your own PKCS12
> unpack program, just for this specific use case.
> I may be wrong but to me it looks doable, just a *lot* of work.

... and that, unfortunately, is about what I concluded as well. Bummer. ;-)

But thanks a lot for your thoughts (also to Jakob and Viktor)! :)

To the systems programmer, users and applications serve only to provide
a test load.  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6312 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180220/ba233257/attachment.bin>

More information about the openssl-users mailing list