[Pkg-openssl-devel] Bug#616352: openssl pkcs12 emits and requires DER-encded data; man page says PEM-encoded

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Mar 3 17:55:44 UTC 2011 

Package: openssl
Version: 0.9.8o-5
Severity: normal

pkcs12(1ssl) says:

       -out filename
           The filename to write certificates and private keys to, standard
           output by default.  They are all written in PEM format.

      -in filename
           The filename to read certificates and private keys from, standard
           input by default.  They must all be in PEM format. The order
           doesn't matter but one private key and its corresponding
           certificate should be present. If additional certificates are
           present they will also be included in the PKCS#12 file.


However, the emitted data appears to be DER-encoded, and it is only
able to actualy read DER-encoded data.

Attached are two versions of the same PKCS#12 blob (it's a testing
key, don't worry about exposing it) with the passphrase "abc123".  One
is PEM-encoded.  The other is DER-encoded.

I created the DER-encoded key from the PEM-encoded key with:

  grep -v ^- < alice.p12.pem | base64 -d > alice.p12.der

You can see that this succeeds:

 openssl pkcs12 -passin pass:abc123 -nodes < alice.p12.der

but this fails:

 openssl pkcs12 -passin pass:abc123 -nodes < alice.p12.pem

Ideally, i'd like to see openssl pkcs12 be able to handle both PEM and
DER encodings.

But at the very least, the documentation should be corrected.

Feel free to forward this upstream if you think it'd be useful.

Thanks for maintaining OpenSSL in debian!

    --dkg

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.37-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl depends on:
ii  libc6                   2.11.2-11        Embedded GNU C Library: Shared lib
ii  libssl0.9.8             0.9.8o-5         SSL shared libraries
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates            20090814+nmu2 Common CA certificates

-- Configuration Files:
/etc/ssl/openssl.cnf changed [not included]

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alice.p12.der
Type: application/octet-stream
Size: 1686 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20110303/695dd3ca/attachment.obj>
-------------- next part --------------
-----BEGIN PKCS12-----
MIIGkgIBAzCCBl4GCSqGSIb3DQEHAaCCBk8EggZLMIIGRzCCAvYGCSqGSIb3DQEH
BqCCAucwggLjAgEAMIIC3AYJKoZIhvcNAQcBMEsGCSqGSIb3DQEFDTA+MB0GCSqG
SIb3DQEFDDAQBAo9iIouqV6BA9F+AgIBVDAdBglghkgBZQMEAQIEEBbKRm6K5Hsd
nufQ6WnJAUuAggKAVHTPPco3iLTcCP2iOv60uN9QoAIHDDQtKDpMe8gc8tlP5zKH
tRX9nFu1ZatN11L3xQI8ecQbmR95bLB5fz8cEyb44C2upYbV7t+O2KxKXe5ZtKuw
pyqgHGsFw/1n1rZ3wsXMmTShXuzHdhGe4M+e+bSlN6xdJlckWxMl2XGjbXURXrab
jSObZ/CUNRLrHxDMlwd2rmwx/mSC5EDncFc/ccoVFI1cRcB8APH1pwzd94NShG7m
POd3aTMKFW2Uvx6CNLq3m3QvKseCbnvPYl8HtFkgep235/jSuuGlOjxeXC/G9WM0
xqutrlR+nlRNxavlI/nIHIxJculc7mnt0In6YoSFoBUkFcVKXsj695HA9kUFmHL1
KPOGh5/sAAPlBrbuYrNuAzZ+iuJpy+2qSwy927BzaQmws1lEoBf91uVEox7Pu9Rd
iI8UQI0QGR5ZIgcbx0VldnjpZxtTdBUH/IS1vnxiqoiJjiRquW0jTZiZfrlfmyoF
HlUSbQJ8XsuZqSstAhIweV2H97U07gAJXQTl2h2jYS1t9bVDbyzJyRni/T4vK/Jl
jwl+aEtfLRXjUGKdZkkEzR5ih4WvYGkENW8NNmJCSV/7fDunq8e/TuNH4w90A52Z
/97wdlmektaSCuMdWKN9on093vTMxO3Ik1s15ZxCLhvUIxqZ/I/tRT74Wq4BExWQ
8rN/xKSe9inorHjlKlS5eZYgM9X3PjYLfktaIe17IUCdnHMFCTBLH2XCcZFwEYR/
CfBn+thWZsaXM/V/FtPUq2hzhPmUbKTr2j5JzXiGAvbZJHPYSkGYnn4uKAXVwtzi
h+uelm83reHz5/kTT9nK8B1iUpQF3+ipLR94sDCCA0kGCSqGSIb3DQEHAaCCAzoE
ggM2MIIDMjCCAy4GCyqGSIb3DQEMCgECoIIC2zCCAtcwUQYJKoZIhvcNAQUNMEQw
IwYJKoZIhvcNAQUMMBYEEIwtJpH+9LQ+e/m1d9q/JN0CAgFhMB0GCWCGSAFlAwQB
AgQQ+2GZrINCqERttiOuV2WNFASCAoCSEaSf8/W0Md0SDWK+fKISZZPTGEABYcfX
X7V9aReirzokFks8XFe1aI4JAeVCa+CB061RR7RijJoWvm2h86z6AyZg5Fn4JToR
XT1GV0BuzceAZgxvjkORnGmbjm8FontoJbbLR5iYDltHgYY2KiOImbj5ml9qgEx/
wQOnahWQNl+P0nVZB1f5IjD4XRpTmVYulMzkii4kggzkyAQx4tXfp+lt1H5udRfz
iitn+8U0RQx44/oWr0xbUCu0tuy4WIKeQEQKfIXpcF9NZuwVmiMtLpdchCo7KR5I
k1n2etk637+2dHwoV4axLqleigWXE5INMm4DQMZ9iAHYTRqhjERZDmH1V/OK9JZB
1fiUSsImk+3I9/hd92qiuO/M7pZVT0lD5weJBsAy/7XbLiinXNy7YwoZDlBw1qMM
OFVhLVo4RB2s0yLW6dmrkhaoyV0Rv0vE3h+VSLgK/aDPuLJR79VisCvhZSxfomvR
V3TNW2p5kKh8tdzHGm2EEb98ZvBgnCXOCsHq4BLnxFPD5XZLIffTrgu0R/LQlBrq
fODV6h9zdjxU7D5MnkcfuyH4SoOLqakUYo5Da1gfkxda/tBAVXHyKOm75cOY3Y7/
Hw5ojgWgY19uuzgCFKV8zXRbxbQMUfp41+iq5pjia0XU4yXOXqj3XXQ42mcMD+p4
HT5Jy0OJtbA8uMrXq9c21lfKNI7NvvYiLQeMtEFwEs5mDtDmDbnAsO14vUExQatw
4dvfIVLqjXzkPfGDh8mW6znQ//fc3tLDNEwQqhOlmidVNmHwsd5d8Oblbw1dx7eW
jo6IHFtre/dDZ7uS3FyXK8Mt5ITkKFE8otlEq07AUp+z/klsQWpUMUAwIwYJKoZI
hvcNAQkVMRYEFChylFjjJRPNNKOvldMFMBXsu29CMBkGCSqGSIb3DQEJFDEMHgoA
YQBsAGkAYwBlMCswHzAHBgUrDgMCGgQUmcztFBaRl8UaKK4QhvarYmkdYHQECFo5
NB2JbLfb
-----END PKCS12-----

More information about the Pkg-openssl-devel mailing list