[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PKCS#12 files without passwords

To: imc-sfl@xxxxxxx
Subject: PKCS#12 files without passwords
From: John Stark <jas@xxxxxxxxxxxx>
Date: Thu, 11 Mar 2004 16:40:37 +0000
Cc: jim.craigie@xxxxxxxxxxxxxx, uba@xxxxxxxxxxxx
List-archive: <http://www.imc.org/imc-sfl/mail-archive/>
List-id: <imc-sfl.imc.org>
List-unsubscribe: <mailto:imc-sfl-request@imc.org?body=unsubscribe>
Organization: Metanate Ltd
Sender: owner-imc-sfl@xxxxxxxxxxxx

Hello,

I am attempting to port an application that I developed a little over 2
years ago from SFL release 2.1 to release 2.3.

I have a problem using PKCS#12 files without passwords.  Our application
is non-interactive and if there is a password it has to be configured. 
We prefer not to use them most of the time, as they are just something
to get wrong that can break the configuration, and add no security.

SFL 2.1 used some code from OpenSSL to read PKCS#12 files.  Although the
SMIME/alg_libs/sm_free3 code as shipped required a password to work, the
underlying OpenSSL code worked without one, and I was able to apply a
trivial fix to the sm_free3 code to enable it to be used.

SFL 2.3 has its own code for reading PKCS#12 files, which clearly wasn't
written with the possibility of not having a password in mind.  I have
tried fixing it up in the obvious manner but without success.  It then
returned the user certificate incorrectly decrypted.  I think I must
have got some subtlety of the way the password is converted to make a
Unicode string, then hashed with a salt value to make the decryption key
wrong.

Could you please tell me if there is a fix to this problem, and if so
when it will be available.

John Stark
-- 
John Stark
Tel: +44 1223 566732
Mobile: +44 7968 110628
E-mail: jas@xxxxxxxxxxxx
Web: http://www.metanate.com

Prev by Date: RE: GPL violation? (Was: v1.6 Enhanced SNACC Freeware)
Previous by thread: Re-Send RE: GPL violation? (Was: v1.6 Enhanced SNACC Freeware)
Index(es):
- Date
- Thread