-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extract private key and certificate (PEM) from PKCS#12 archive #9677
Comments
I'm not very familiar with the PKCS#12 ecosystem, but definitely, yes,
is correct. Mbed TLS doesn't aim to implement all of PKCS#12, just the cryptographic part of it, and the goal is to load PKCS#8 encrypted keys. |
Definitely yes, Mbed TLS must be able to extract a private key from a PKCS#12 archive? Is it within the scope of Mbed TLS to extract a certificate (and private key) from a PKCS#12 archive? |
Uh, sorry, we might be talking at cross-purposes. I meant yes to “the code it is only meant to e.g. decrypt a pkcs8 archive”. (PKCS#8 is not really an archive format, it's very specialized for private keys, but the PKCS#8 specification says to optionally use encryption mechanisms defined by the PKCS#12 specification.) Supporting PKCS#12 as a whole was not a design goal. To take a more extreme example, zip files can be encrypted, and it would be reasonable to expect Mbed TLS to implement the zip encryption algorithm, but not the zip compression algorithm. PKCS12 is different because it's a generic container format, but mostly used for cryptography-related data. Implementing (a subset of) PKCS12 in Mbed TLS wouldn't be out of the question, but it's not a given either. We're focusing on cryptographic primitives (which will soon be in a separate project TF-PSA-Crypto), and on TLS (+DTLS and possibly QUIC) (plus what it needs from X.509). |
Thank you for the clarification. A bit of bad news for me but I understand the reasoning. I'll be monitoring the thread to see if it leads to anything. |
Summary
I created the PKCS#12 archive by doing:
I’ve cloned the MBedTLS project an built the programs. Then i navigated to mbedtls/build/programs/pkey and gave the following command:
./key_app mode=private filename=pkcs12.key password=“…”
This gives me the following output/error:
So my question is, is this feature supported by MBedTLS ?
To me it is confusing, there is an pkcs12.h and implementation but from reading the code it is only meant to e.g. decrypt a pkcs8 archive?
Side node, i repeat the above steps with “openssl pkcs8 -in private_key.pem -out pkcs8.key -topk8” then it seems to be able to disect the archive.
System information
Mbed TLS version (number or commit id): e21e9c3
Operating system and version: Linux (debian)
Configuration (if not default, please attach
mbedtls_config.h
): defaultCompiler and options (if you used a pre-built binary, please indicate how you obtained it): default
Additional environment information: Used program key_app
Expected behavior
I expected that the private key would be successfully parsed.
Actual behavior
Failed, with error -0x3d00. As I traced back if complains
Steps to reproduce
Additional information
The text was updated successfully, but these errors were encountered: