Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Manage multiple RSA keys/certs in a PKCS#12 structure

Tags:

c

openssl

rsa

pkcs#12

libssl

I try to manage in a C library multiple RSA keys and certificates in a PKCS#12 structure. Managing a single key with the primitives PKCS12_create and PKCS12_parse works fine, but I can't find anything about managing multiple keys. I tried to use the safes and bags primitives but I only succeed to corrupt my PKCS12.

Does OpenSSL's PKCS#12 allow multiple keys and certificates in PKCS#12 structure? If so, then how do I manage multiple keys and certificates using the PKCS#12 API?

Thanks all

like image 530
Yann Delanoe Avatar asked Jun 16 '17 09:06

Yann Delanoe

People also ask

How to export the private key of a PKCS certificate?

In Request Handling, select Allow private key to be exported. Unlike SCEP, with PKCS the certificate private key is generated on the server where the certificate connector is installed and not on the device.

How do I get a stand alone private key from pkcs12?

Some software requires a stand alone private key instead of a keystore for authentication, signing, etc. To extract the private key from a keystore, run the following command: openssl pkcs12 -in keystore.p12 -nocerts -nodes Note that secret keys are not supported with openssl in a pkcs12 keystore.

How to extract a certificate from a pkcs12 keystore using OpenSSL?

To extract a certificate or certificate chain from a PKCS12 keystore using openssl, run the following command: Where -in example.p12 is the keystore and -nokeys means only extract the certificates and not the keys.

How do I SSH to a specific RSA key?

By default, the SSH command will use the default RSA key ~/.ssh/id_rsa. However, we can specify the key using the-i argument with the path of a specific private key. For example, if your private key is called ~/.ssh/aws_vpc1, we can use the following command to instruct SSH to use it.

1 Answers

PKCS#12 is a complicated data structure. All of the operations that PKCS12_parse use are public API, it just tries to simplify the simple case. The entire 245 lines of p12_kiss.c (one presumes Keep It Simple, Stupid) are PKCS12_parse and its (non-public) helper routines.

p12_crt.c is another 291 lines of "man, this file format is complicated", which is just PKCS12_create.

Managing multiple files is easier code, but if you want to take the complexity into your code you can simplify your file operations.

Don't forget to call PKCS12_SAFEBAG_create_pkcs8_encrypt on the private key bags. Your keys aren't encrypted unless you call it, and (IIRC) Apple's PFX reader won't load keys out of unencrypted bags (probably not an intentional decision, they just likely never experienced it).

like image 116
bartonjs Avatar answered Oct 12 '22 23:10

bartonjs
Sign in to Comment

Related questions

Effects of declaring a function as pure or const to GCC, when it isn't
character input error in my C program?
GCC no warning or error when declaring a global variable multiple times [duplicate]
Is it possible to pass a structure variable as a function argument without previously defining it?
Checking support for _Generic() selection in C
short int Integer wrap around / short int inversion in c not understood, difference between assignment and prints
Why is clang 3.8 warning on use of float with %f printf format specifier? [duplicate]
Creating large arrays in C
GCC -O2 and __attribute__((weak))
AVX scalar operations are much faster
Why use integration for a fixed timestep game loop? (Gaffer on Games)
Swift call C call Swift?
Print a wide unicode character with ncurses
Does bidirectional popen() work on Mac OS X in C?
How to assemble a float from two bytes?
structures with functions and python ctypes
How to convert photos to Polaroid-like programmatically?
How to use #include directive correctly?
Strange array initialize expression?
Making a dynamic array that accepts any type in C

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!