diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2001-03-18 02:11:42 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2001-03-18 02:11:42 +0000 |
commit | 02ee8626fbf52c6b1cd7ce2508369f59eda701e9 (patch) | |
tree | cc2a7d328d87453b5b17c7b48fe532fbae1558b0 /doc | |
parent | 6276e5b41b571706cd6a47437250ae429fb91d69 (diff) |
Fix PKCS#12 key generation bug.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/apps/pkcs12.pod | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod index c4009998b8..7e0307dda0 100644 --- a/doc/apps/pkcs12.pod +++ b/doc/apps/pkcs12.pod @@ -304,6 +304,26 @@ Include some extra certificates: Some would argue that the PKCS#12 standard is one big bug :-) +Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation +routines. Under rare circumstances this could produce a PKCS#12 file encrypted +with an invalid key. As a result some PKCS#12 files which triggered this bug +from other implementations (MSIE or Netscape) could not be decrypted +by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could +not be decrypted by other implementations. The chances of producing such +a file are relatively small: less than 1 in 256. + +A side effect of fixing this bug is that any old invalidly encrypted PKCS#12 +files cannot no longer be parsed by the fixed version. Under such circumstances +the B<pkcs12> utility will report that the MAC is OK but fail with a decryption +error when extracting private keys. + +This problem can be resolved by extracting the private keys and certificates +from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 +file from the keys and certificates using a newer version of OpenSSL. For example: + + old-openssl -in bad.p12 -out keycerts.pem + openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 + =head1 SEE ALSO L<pkcs8(1)|pkcs8(1)> |