Bugs item #7218, was opened at 2006-12-11 17:55
You can respond by visiting: 
http://rubyforge.org/tracker/?func=detail&atid=1698&aid=7218&group_id=426

Category: Crypto / Digest / Compression
Group: 1.8.x
Status: Open
Resolution: None
Priority: 3
Submitted By: Romek Szczesniak (romek)
Assigned to: Nobody (None)
Summary: OpenSSL library not updated with new PKCS #12 features

Initial Comment:
Openssl changed its PKCS #12 library in May 2004 to handle the following:

openssl pkcs12 -in privkey.pem -out out.p12 -export -nocerts

However, as the Ruby OpenSSL library hasn't mirrored this, example code of PKCS #12 handling:

require "openssl"

pkey = OpenSSL::PKey::RSA.new(File.read("privkey.pem"))
#pkey = OpenSSL::PKey::RSA.new(512)
cert = OpenSSL::X509::Certificate.new
cert.version = 1
cert.subject = cert.issuer = OpenSSL::X509::Name.parse("/C=FOO")
cert.public_key = pkey.public_key
cert.not_before = Time.now
cert.not_after = Time.now+3600*24*365
cert.sign(pkey, OpenSSL::Digest::SHA1.new)
#p12 = OpenSSL::PKCS12.create("passwd", "Test User", pkey, OpenSSL::X509::Certificate.new)
p12 = OpenSSL::PKCS12.create("passwd", "Joe Fish", pkey, nil)
print "Done!" # p12.to_der

If OpenSSL::PKCS12.create has last argument nil or empty string, then the compiler complains that the object is not an OpenSSL::X509::Certificate.
If OpenSSL::PKCS12.create has last argument OpenSSL::X509::Certificate.new, then the compiler bus errors.

PKCS #12 defines (at least) six different types of key transport mechanisms. Currently, the Ruby Openssl implementation is only supporting the most used.


----------------------------------------------------------------------

>Comment By: Romek Szczesniak (romek)
Date: 2007-05-30 01:04

Message:
Firstly, there is no bug in my code. I am fully aware of the
definition provided in PKCS #12 and what is meant to happen.

This is developed with the idea of implementing one of PKCS
#12's six key transport mechanisms. The aim is to transfer
keys only without certificates.

However, OpenSSL currently does not support it. I will be
contacting Stephen Henson and Richard Levitte shortly about
this via the openssl-users mailing list. 

Please note that OpenSSL PKCS#12 is currently aimed
primarily for certificate transfer and not other key
transport mechanisms.

----------------------------------------------------------------------

Comment By: Technorama Ltd. (technorama)
Date: 2007-04-04 22:00

Message:
There is a bug in your code.

p12 = OpenSSL::PKCS12.create("passwd", "Joe Fish", pkey, nil)

should be

p12 = OpenSSL::PKCS12.create("passwd", "Joe Fish", pkey, cert)

However, there are some OpenSSL bugs.

Passing a blank certificate to OpenSSL will cause a crash or hang if the public_key isn't set.  If you don't set not_before and not_after you can create the PKCS12 object and save it in DER format, but you won't be able to load it again.


----------------------------------------------------------------------

You can respond by visiting: 
http://rubyforge.org/tracker/?func=detail&atid=1698&aid=7218&group_id=426