OK,I'd like to report this as a bug to the IBM ikeyman folks. However,
when I look at PKCS#12 v1
(http://www.rsasecurity.com/rsalabs/node.asp?id=2138) I don't see any
discussion of this limitation of the localKeyID field. Is there a newer
spec I should be looking at?

BTW - the link on your FAQ
Q. Where can I get technical documentation on this stuff?
A. If you want info about my implementation see docs/pk12api.doc and
Latest PKCS#12 Specification.

gives a 404. (and where can I find docs/pk12api.doc and docs/pkcs12.doc?)

Additionally, I will need to parse such 'broken' files, so will need to
update PKCS12_parse for my own use, to find the first private key and the
cert that matches it, regardless of localKeyID in other certs or the order
or the certs/key. Would you be interested in that update? (It could
change the behaviour of the function for files with multiple key/cert
pairs in it).


Paul Ford-Hutchinson, CISSP : eCommerce application security
e: paul.ford-hutchinson@g-international.com
p: MPT-6, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5JL
t: +44 (0)1926 462005
w: http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html

"Stephen Henson via RT"
Sent by:
05/04/2005 18:35
Please respond to

Paul V Ford-Hutchinson/UK/GINTL/IDE@IBMGB
[openssl.org #1034] bug report (and fix): PKCS12_parse returns incorrect

That looks like a highly broken PKCS#12 file. The localKeyID attribute
is supposed to be only used between the private key and corresponding
certificate. In that case *every* certificate has a matching localKeyID.


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org