[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-jce] Possible error encoding PKCS12?

I have tried you sample program to convert a self-signed cert from KeyAndCeritificate to PKCS#12 and subsequently had no problems to import it into IE.
IAIK-PKCS12 has been successfully testet with Netscape 4.05, 4.5. On the MSIE side this version has been tested against IE 4.0 with SP3 and SP4 on Windows NT.
Does the problem you described occur with any certificate you tested? If not, perhaps the certificate includes some information (e.g. some AVA - e.g. commonName, organizationName, ... - of too long size) which cannot be handled by Netsacpe/IE.
The Data OCTET STRING encoding uses the indefinte constructed BER encoding method instead of definite primitive. For that reason the OCTET STRING is "composed" of several OCTET STRING components, each of them definite primitive encoded. This usually is used for handling large amounts of data, but also sometimes prefered for small data volumes.
Dieter Bratko
----- Original Message -----
From: Andy Dowling
To: iaik-jce@iaik.tu-graz.ac.at
Sent: Thursday, August 19, 1999 7:40 PM
Subject: [iaik-jce] Possible error encoding PKCS12?

Hi folks,
I've put together a quick conversion program that loads a KeyAndCertificate instance from a DER file,
decrypts and extracts the key + certs, and puts them into a PKCS12 object.
However, I'm having trouble importing the P12 file into IE/Netscape. The password seems to decrypt fine,
but I get a "invalid input data" once I try to import it.
The source is listed below, along with an ASN.1 dump of the resulting .P12 file.
I'm new to PKCS definitions, but it looks like the PKCS#7 "Data" type is not encoded correctly in this case???
Any help would be greatly appreciated.
Andy Dowling
import java.io.*;
import java.security.*;
import iaik.pkcs.*;
import iaik.pkcs.pkcs12.*;
import iaik.x509.X509Certificate;
import iaik.utils.KeyAndCertificate;
import iaik.security.provider.IAIK;
public class PKCS12Create {
  public static void main (String args[]) {
    if ( (args == null) || (args.length != 3)) {
         System.out.println ("Usage: PKCS12Create <key+cert> <passwd> <PKCS12-out>");
         System.exit (-1);
    try {
      Security.addProvider (new IAIK());
      // Load the Key+Cert file, decrypt the private key and extract the certs
      KeyAndCertificate keyCert = new KeyAndCertificate (args[0]);
      System.out.println ("Loading KeyAndCertificate from: " + args[0]);
      if (keyCert.isEncrypted())
          keyCert.decrypt (args[1].toCharArray());
      X509Certificate[] certs = keyCert.getCertificateChain();
      PrivateKey        privateKey = keyCert.getPrivateKey();
      System.out.println ("Decrypted key. Got Certs.");
      // Create the appropriate CertificateBag and KeyBag instances, and
      // populate with the certs and keys
      byte[] keyId = new byte[] {0x01, 0x02, 0x03, 0x04};
      String friendlyName = "Andys ID";
      KeyBag keyBag = new KeyBag(privateKey, friendlyName, keyId);
      CertificateBag[] certBags = new CertificateBag[1];
      certBags[0] = new CertificateBag(certs[0]);
      PKCS12 test_write = new PKCS12(keyBag, certBags, false);
      System.out.println ("Created PKCS12 Object");
      System.out.println ("Encrypted key again. Writing to file...");
      OutputStream os = new FileOutputStream(args[2]);
      System.out.println ("Done.");
      System.out.println ("PKCS12:" + test_write + "\n");
    } catch (Exception ex) {
      throw new RuntimeException();
SEQUENCE[C][I] = 3 elements
  SEQUENCE[C][I] = 2 elements
    OBJECT ID = PKCS#7 data
      OCTET STRING[C][I] = 2 elements                      <<OCTET STRING OF 2 ELEMENTS???>
        OCTET STRING = 1024 bytes: 30:80:30:80:06...
        OCTET STRING = 437 bytes: 1B:2D:E9:77:D1...
  SEQUENCE[C] = 2 elements
    SEQUENCE[C] = 2 elements
      SEQUENCE[C] = 2 elements
        OBJECT ID =
        NULL = null
      OCTET STRING = 20 bytes: 04:63:DE:9F:F0...
    OCTET STRING = 8 bytes: 88:B1:83:40:49...
---END ASN.1 DUMP---