Managing multiple RSA keys / certificates in a PKCS # 12 framework
I'm trying to manage in a C library multiple RSA keys and certificates in a PKCS # 12 framework. Single key management using primitives PKCS12_create
and PKCS12_parse
works great, but I can't find anything about managing multiple keys. I tried to use primitives for safes and bags, but I only managed to damage PKCS12.
Does OpenSSL PKCS # 12 provide multiple keys and certificates in the PKCS # 12 framework? If so, how do I manage multiple keys and certificates using the PKCS # 12 API?
Thanks everyone
source to share
Finally I manage to add / parse multiple RSA keys and they get certified to / from the PKCS12 structure / file. My parse function is based on the OpenSSL function parse_pk12
in the file p12_kiss.c
. This function seems to only return the last packet. I adapt it to check every friendly name of every package and return the one that matches.
The add function starts by unpacking safes (STACK_OF(PKCS7))
from an existing PKCS12 and then working on those safes to add a new bag of bags to it. Then I create a new PKCS12 using the function PKCS12_add_safes
and delete the previous one. Thanks everyone
source to share
PKCS # 12 is a complex data structure. All operations that are used PKCS12_parse
are public API, it is just trying to simplify the simple case. All 245 lines of p12_kiss.c (one assumes Keep It Simple, Stupid) are PKCS12_parse and its (non-public) helper routines.
p12_crt.c is another 291 lines "man, this file format is complex", which is simple PKCS12_create
.
Managing multiple files is easier code, but if you want to complicate your code, you can simplify file operations.
Don't forget to call PKCS12_SAFEBAG_create_pkcs8_encrypt
in the bags with the secret key. Your keys are not encrypted unless you name it, and the (IIRC) Apple PFX reader will not download keys from unencrypted packets (this may not be an intentional solution, they most likely never experienced it).
source to share