diff options
author | Kris Kennaway <kris@FreeBSD.org> | 2001-05-20 03:07:21 +0000 |
---|---|---|
committer | Kris Kennaway <kris@FreeBSD.org> | 2001-05-20 03:07:21 +0000 |
commit | 5740a5e34c49bfc6885d8602958155fc91b62765 (patch) | |
tree | af21ae7d0d7d432ead379f1689adfee9ffe965f6 /crypto/openssl/doc/apps/pkcs12.pod | |
parent | de7cdddab120ecc07d412749bfb3f191c4e0afe3 (diff) | |
download | src-5740a5e34c49bfc6885d8602958155fc91b62765.tar.gz src-5740a5e34c49bfc6885d8602958155fc91b62765.zip |
Initial import of OpenSSL 0.9.6a
Notes
Notes:
svn path=/vendor-crypto/openssl/dist/; revision=76866
Diffstat (limited to 'crypto/openssl/doc/apps/pkcs12.pod')
-rw-r--r-- | crypto/openssl/doc/apps/pkcs12.pod | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/crypto/openssl/doc/apps/pkcs12.pod b/crypto/openssl/doc/apps/pkcs12.pod index c4009998b8a9..7e0307dda0bf 100644 --- a/crypto/openssl/doc/apps/pkcs12.pod +++ b/crypto/openssl/doc/apps/pkcs12.pod @@ -304,6 +304,26 @@ Include some extra certificates: Some would argue that the PKCS#12 standard is one big bug :-) +Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation +routines. Under rare circumstances this could produce a PKCS#12 file encrypted +with an invalid key. As a result some PKCS#12 files which triggered this bug +from other implementations (MSIE or Netscape) could not be decrypted +by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could +not be decrypted by other implementations. The chances of producing such +a file are relatively small: less than 1 in 256. + +A side effect of fixing this bug is that any old invalidly encrypted PKCS#12 +files cannot no longer be parsed by the fixed version. Under such circumstances +the B<pkcs12> utility will report that the MAC is OK but fail with a decryption +error when extracting private keys. + +This problem can be resolved by extracting the private keys and certificates +from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 +file from the keys and certificates using a newer version of OpenSSL. For example: + + old-openssl -in bad.p12 -out keycerts.pem + openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 + =head1 SEE ALSO L<pkcs8(1)|pkcs8(1)> |