Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4344
  • Last Modified:

How to convert PFX (PKCS#12) to PKCS#15 to use with CRYPTLIB

I have a certificate and key pair exported from Internet Explorer in PFX format. I'd like to convert this PKCS#12 formated file to PKCS#15 to use it with crtyptlib: http://www.cs.auckland.ac.nz/~pgut001/cryptlib

I tried with the following tools, maybe it will assist to the answer:
$> openssl pkcs12 -in infile.pfx -out outfile.pem
Then I've tried to use this tool: http://www.oryx.com/ams/pemtrans.html but with no success.

I've decrypted the KEY part of the PEM file with the following command:
$> openssl rsa -in infile.pem -out outfile.key

But the pemtrans complains about a bad certificate file. Maybe I'm close, but the time is short :(

Thanks for help!
0
gutyka
Asked:
gutyka
  • 5
  • 4
  • 3
2 Solutions
 
ParanormasticCryptographic EngineerCommented:
Try looking through this for what is relevant to your case - some of it may be extraneous such as the hard drive encryption stuff, but there should be some good stuff.   I don't know for a fact for how well it works for cryptlib, but if that other link didn't go, then it is the best shot I'm finding for you.

http://www.saout.de/tikiwiki/tiki-index.php?page=RSAFirstSectorsMiniHOWTO

This refers to using OpenSC in addition to OpenSSL:
http://www.opensc-project.org/

Also, if possible for your test try using a more basic cert - a 1024 RSA SHA-1.  If you are trying to use anything too new and fancy like discrete/eliptic curve algorithms, newer SHA-2 signatures, or something else like that you may run into issues.  Sounds like cryptlib used to support ECC but has removed support, but can add it back upon request?  Anyways, a 1024 or 2048 RSA cert would be my first attempt - any bigger and you could run into compatibility issues, MD-5 signatures are probably okay, but they seem to have a 'we're so secure' thing going on that they may not work well with MD5 on purpose since it is essentially a legacy signing algorithm - this is pure speculation with no backing, just general advice.
0
 
Dave HoweCommented:
http://www.opensc-project.org/ has a tool (pkcs15-init) for importing from DER encoded (pem) files. you should use another suitable tool (such as sourceforge.net/projects/xca) to convert from pkcs#12 to separate certificate and secret key files first.
0
 
Dave HoweCommented:
hmm. I get the feeling I am opening a can of worms here. pkcs 15 are hard to build away from secure tokens, and it is likely that cryptlib will accept some other format output by xca - so I would try that instead :)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
gutykaAuthor Commented:
The story is that I have a PKCS#12 or PFX certificate and private key file already from a provider. It cannot be recreated in any way and I cannot ask for another type so I have to deal with it. It seems to be quite a standard that they use the browser's capability to generate certificate requests and then the browser again to issue the certificate (by checking the request).

So I have a PFX source and I cannot change that unfortunately. That has to be converted to some sort of format that Cryptlib eats. I've generated several self issued PKCS#15 files with openssl and pemtrans before and they are working perfectly with Cryptlib. But they are useless when you want to digitaly sign an official document.

I have no smartcard or any other hardware tool capable for containing PKCS#15 data. A server will sign the documents and I cannot attach a card and a card reader to the server's USB port for every customer. Unfortunately even the pkcs15-util doesn't seem to work without a card.

So far, thank you for your effort guys!
0
 
Dave HoweCommented:
Its possible that the "soft" smartcard that forms part of moz could be used - softokn3.dll - but I haven't tried that.
0
 
ParanormasticCryptographic EngineerCommented:
OK, so just for reference, here is the specs for PKCS#15:
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-15/pkcs15Conformance.pdf

One area of note is:
5.4.1 Private Keys
At least two private keys must be present on the PKCS #15 token. One key is
used is used for both authorization and encryption. The second key is used
exclusively for non-repudiation (or digital signatures).
The allowed private key type is RSA keys of strength 1024 or greater.

This sounds like what Identrust does with their banking stuff - not sure if its exactly the same, but similar concept at least if it isn't.


You say that you have created PKCS #15 that work okay but just aren't from a controlled cert issuing environment for non-repudiation - could you please give us some of the details on that?



To look at this from a completely different angle: what is the end goal here?  What requirement are you trying to fulfill by using cryptlib?  How tied are you to using that specific product, or might it be worth suggesting an alternative product to meet your requirement that does not have this requirement?

Also, cryptlib does say that they do support PKCS#12 but that they sometimes have issues because everyone does their own thing for P12 files - out of morbid curiousity - have you tried using your P12 file first?
0
 
gutykaAuthor Commented:
Paranormastic, thanks for the questions!! :)

I intend to use cryptlib and the certificate I have to digitaly sign (and timestamp) invoices. This has to be done on a linux environment. Cryptlib seemed to be a perfect choice, because it can do all the things I wanted. But then came up this little catch with the "trusted and real" certificate which I can only have in PFX (or we can call it PKCS#12 just to confuse) format.

Before obtaining the "real" certificate I tried to create a self issued one with openssl:
I created an openssl.cnf from a template with the following addition:
keyUsage = cRLSign, digitalSignature, keyEncipherment, keyCertSign

$ openssl genrsa 1024 -config openssl.cnf > host.key
$ openssl req -new -x509 -nodes -sha1 -days 365 -key host.key -config openssl.cnf > host.crt

In the pemtrans directory:
$ ./pemtrans host.key host.crt keyset.p15 "common name" "password"

keyset.p15 is the newly generated PKCS#15 file. Cryptlib happily accepted it. I hope I didn't miss or mistype anything...

I've tried to feed the p12 file to cryptlib with no success. Although I did not mess with the source code of cryptlib yet and to be honest I don't really want to :) Why stuck with cryptlib? I think there must be a very easy way to convert this very file to p15 format, I'm just missing the last step.

Thanks for helping!
0
 
ParanormasticCryptographic EngineerCommented:
Okay, so lets try splitting up the pfx file into its base components of the private key and the public key/certificate and see if that fits into what you have been doing with your locally generated certs.

Extract the cert:
openssl pkcs12 -in p15test.pfx -nokeys -out p15test.crt

Extract the private key:
openssl pkcs12 -in p15test.pfx -nocerts -out p15test.key

If that doesn't work, you can try opening up the private key file in Notepad and stripping out the extraneous junk at the beginning and try again.  So for the second attempt the private key file should start with
-----BEGIN RSA PRIVATE KEY-----

0
 
gutykaAuthor Commented:
I've tried it before with and without separating and clearing the "junk" from it. As I mention it in my original post I've managed to get throught the key file, but the cert file was still a problem. I followed the same logic you are saying.

If I do what you advice, the result from pemtrans is:
Couldn't load private key from 'p15test.key'
10294:error:0906B072:lib(9):func(107):reason(114):pem_lib.c:481:
0
 
ParanormasticCryptographic EngineerCommented:
Can try converting to proper PEM format.  Usually a base64 .crt file is close enough and you can just rename it, but here are a couple conversion scripts I use for the more 'sensitive' applications.  I added openssl path as a variable.  This will convert whatever is in the same folder as the .bat file (works on multiple files at once).

REM CRT to PEM conversion script
 FOR /F "Tokens=1,2 delims=." %%A IN ('dir *.crt /b') DO (
    %OpenSSL% x509 -in %%A.crt -out %%A.pem
 )
pause

------

REM PFX to PEM conversion script
: %1 = filename (will be used for PFX and PEM filenames)
 FOR /F "Tokens=1,2 delims=." %%A IN ('dir *.crt /b') DO (
    %OpenSSL% pkcs12 -in %%A.pfx -out %%A.pem
 )
pause
0
 
gutykaAuthor Commented:
I got a program that does the exact thing I want. It converts pfx files to Cryptlib p15. I don't have the source for it just the Windows executable, and because the conversion is a manual process and it won't occur often (just when we have a new customer) there is no need to implement a Linux version for it. If anyone  interested in the converter drop me a line.
0
 
ParanormasticCryptographic EngineerCommented:
Is there a download link or product name you could post for this?  Glad you found something that worked for you - hopefully cryptlib isn't so picky for other things for you!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now