Ori Yosefi wrote:
>
> Hello all,
>
> I've been unsuccesfully trying to read an IIS 5 backup file with the
> eventual purpose of converting it into PEM format.
>
> When I try to read the file using "openssl pkcs12 -in <filename>
> -nokeys" everything works fine and I can get the certificate.
>
> If I try to do "openssl pkcs12 -in <filename> -nocerts" openssl crashes.
>
> I've tried doing it with both openssl 0.9.5a and 0.9.6 on NT and with
> openssl 0.9.5a on Solaris and both fail.
>
> I think that the problem occurs when trying to parse the localKeyID
> attribute, although I can't be sure.
>
> Another observation that I have made is that when I use IIS backup files
> (Microsoft claims that they are PKCS#12 but their extension is .pfx) I
> have this problem. When I get keys exported from W2K's Certificate
> Manager (which has the extension .p12) openssl works fine with both key
> and certs.
>
> I have tried to go over the FAQ and look through the mailing list but
> could not find anything.
>
> Any idea?
>
The problem is with one of the extra attributes MS seems compelled to
add to its PKCS#12 files. The one in question is a BMPString (Unicode
string) but it has length zero which OpenSSL didn't handle properly.
Anyway the fix is simple enough. In crypto/pkcs12/p12_utl.c about line
86:
if (uni[unilen - 1]) asclen++;
should be changed to
if (!unilen || uni[unilen - 1]) asclen++;
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
