Question

我在iPhone上使用这个OpenSSL代码生成一个PKCS＃12文件，给出一些证书/私钥的数据。我能够验证这个PKCS＃12在OpenSSL上是否可解析，因为当我在代码中检查它时它没有打印出错误。但是，当我将它传输到我的服务器时，它说：Error: PKCS#12 MAC could not be verified. Invalid password?有谁知道这是为什么？我使用相同的密码，即密码＆＃39;

 - (NSData *)generateP12AsNSData:(NSData *)keyData certificate:(NSData *)certificateData {
    //put the certificateData into a X509 certificate
    const unsigned char *certificateDataBytes = (const unsigned char*)[certificateData bytes];
    X509 *certificateX509 = d2i_X509(NULL, &certificateDataBytes, [certificateData length]);

    EVP_PKEY *privateKey;
    PKCS12 *p12;
    //cast the key data as an unsigned char so that we can convert it to the OpenSSL key format
    const unsigned char *bits = (unsigned char *) [keyData bytes];
    int length = (int)[keyData length];
    privateKey = EVP_PKEY_new();

    //convert the unsigned char to OpenSSL Key format
    RSA *rsa = NULL;
    d2i_RSAPrivateKey(&rsa, &bits, &length);
    EVP_PKEY_assign_RSA(privateKey, rsa);

    //create the PKCS#12
    OpenSSL_add_all_algorithms();
    p12 = PKCS12_create("password", "ExtraDeviceP12", privateKey, certificateX509, NULL, 0,0,0,0,0);

    //make sure the p12 exists
    if(!p12) {
        fprintf(stderr, "Error creating PKCS#12 ");
        ERR_print_errors_fp(stderr);
        return nil;
    }

    //error checking to make sure we generated the CSR correctly
    STACK_OF(X509) *ca = NULL;
    EVP_PKEY *parseKey;
    X509 *parseCert;
    if (!PKCS12_parse(p12, "password", &parseKey, &parseCert, &ca)) {
        printf("error parsing PKCS#12 file");
        return nil;
    }

    //convert the PKCS#12 to binary data
    //create a new memory BIO. A BIO is used for basic I/O abstraction.
    BIO *bio;
    bio = BIO_new(BIO_s_mem());
    //i2d_PKCS12_bio is used to export a PKCS12 object
    i2d_PKCS12_bio(bio, p12);
    BUF_MEM *buffer;
    BIO_get_mem_ptr(bio, &buffer);

    //int bioLen = BIO_pending(&buffer);


    char *buff = (char*)malloc(buffer->length);
    memcpy(buff, buffer->data, buffer->length - 1);
    buff[buffer->length - 1] = 0;
    NSData *data = [NSData dataWithBytes:buff length:buffer->length];

    NSString *string = [data base64EncodedStringWithOptions:0];
    NSLog(@"Base64 PKCS#12: %@", string);

    BIO_free_all(bio);

    return data;
}

编辑：这是我用Javascript编写的服务器端代码。在这种情况下，req.body是从iPhone发送的NSData。我收到无效的密码错误。

  var p12b64 = req.body.toString('base64');    
  var p12Der = forge.util.decode64(pk12b64);
  var p12Asn1 = forge.asn1.fromDer(p12Der);
  var p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, 'password');

Answer 1

尝试以下方法。它显示了应该检查某些键返回值的位置，并且它避免了额外的数据副本：

BIO *bio = BIO_new(BIO_s_mem());
ASSERT(bio != NULL);

int ret = i2d_PKCS12_bio(bio, p12);
ASSERT(ret == 1);

BUF_MEM *buffer;
BIO_get_mem_ptr(bio, &buffer);
ASSERT(buffer != NULL);

NSData *data = [NSData dataWithBytes:buffer->data length:buffer->length];
BIO_free_all(bio);

您可以在i2d_PKCS12_bio man pages找到i2d_PKCS12_bio的文档。

如果需要，您可以对来自i2d_PKCS12_bio的二进制数据进行Base64编码。有关使用BIO链并确保Base64字符串以NULL结尾，请参阅Non-printable character after generating random n-byte Base64 string。

PKCS＃12密码无效

1 个答案: