Claus Jørgensen wrote:
I'm wondering if anyone could enlighten me on why the PKCS#12 exported
certificate from Firefox under Ubuntu isn't identical to the certificate
that I can generate from OpenSSL like this:
$ openssl pkcs12 -in yourCertificate.p12 -out yourCertificate.pem
$ openssl pkcs12 -export -in yourCertificate.pem -out
youCertificateFixed.p12
Does the NSS implementation of ASN.1 differ from OpenSSL implementation,
or why wouldn't the results be identical?
The reason is the difference in length, where the orginal pkcs#12
exported from Firefox isn't compatible with Mono.
2 things I've noticed in my experience with exporting PKCS#12s. First,
if Firefox has access to the full chain, it will include it in the
PKCS#12 so you may be getting more certs than doing it by hand via
openssl. Second, There is no one way to "build" a PKCS#12 (P12) file.
There are 6 different types of bags you can toss into the P12 container
however you like along with optional encryption and integrity protection
(With 2 different ways to do each of those). Most likely the Mono
implementation is just missing some cases. This is a nice quote from
the spec to show what you have ahead of you: "It is somewhat clear from
the ASN.1 how to make a number of instances of SafeContents, each
containing a number of (possibly nested) instances of SafeBag." Since
Mono is closer to Java, you can take a cue from JSS and see how they
parse a PKCS#12 file to gain some insight.
Main method for JSS's PFX class:
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkcs12/PFX.java#332
The spec:
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/
Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
