diff options
author | kris <kris@FreeBSD.org> | 2001-05-20 03:07:21 +0000 |
---|---|---|
committer | kris <kris@FreeBSD.org> | 2001-05-20 03:07:21 +0000 |
commit | 12896e829e9474d92c70a1528cc64270e9dc08ad (patch) | |
tree | af21ae7d0d7d432ead379f1689adfee9ffe965f6 /crypto/openssl/doc/apps/pkcs12.pod | |
parent | 7e55354aa4b06dead79c8a2c91756d71c0f02030 (diff) | |
download | FreeBSD-src-12896e829e9474d92c70a1528cc64270e9dc08ad.zip FreeBSD-src-12896e829e9474d92c70a1528cc64270e9dc08ad.tar.gz |
Initial import of OpenSSL 0.9.6a
Diffstat (limited to 'crypto/openssl/doc/apps/pkcs12.pod')
-rw-r--r-- | crypto/openssl/doc/apps/pkcs12.pod | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/crypto/openssl/doc/apps/pkcs12.pod b/crypto/openssl/doc/apps/pkcs12.pod index c400999..7e0307d 100644 --- a/crypto/openssl/doc/apps/pkcs12.pod +++ b/crypto/openssl/doc/apps/pkcs12.pod @@ -304,6 +304,26 @@ Include some extra certificates: Some would argue that the PKCS#12 standard is one big bug :-) +Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation +routines. Under rare circumstances this could produce a PKCS#12 file encrypted +with an invalid key. As a result some PKCS#12 files which triggered this bug +from other implementations (MSIE or Netscape) could not be decrypted +by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could +not be decrypted by other implementations. The chances of producing such +a file are relatively small: less than 1 in 256. + +A side effect of fixing this bug is that any old invalidly encrypted PKCS#12 +files cannot no longer be parsed by the fixed version. Under such circumstances +the B<pkcs12> utility will report that the MAC is OK but fail with a decryption +error when extracting private keys. + +This problem can be resolved by extracting the private keys and certificates +from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 +file from the keys and certificates using a newer version of OpenSSL. For example: + + old-openssl -in bad.p12 -out keycerts.pem + openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 + =head1 SEE ALSO L<pkcs8(1)|pkcs8(1)> |