Join Log in
Score:0
avatar Server

how to work with x509 certificate bundles with openssl

sd flag
gcb

Is it possible to work with x509 certificates in a pkcs7 bundle file?

I need to sign all certificates in a bundle with extra x509 extensions. e.g. (if they were a single x509 crt file) openssl x509 -CA corp-ca.crt -CAkey corp-ca.key -randserial -sha256 -extensions sub_ca -extfile sub_ca.cfg -in sub-ca.crt -out with-extensions-ca.crt

the p7b file have dozens of certificates, but they are not chained. Just a bundle.

78
1 + 4
HBruijn avatar
in flag
HBruijn
AFAIK the [`openssl x509` subcommand](https://www.openssl.org/docs/man1.1.1/man1/x509.html) only supports PEM and DER formats and I *think* that means that you'll first need to extract the PKCS #7 bundle , do what needs to be done and recreate the bundle.
2
Reply
sd flag
gcb
i'm not well versed on pkcs... but my bundle is in DER format, just bundled. i.e. `-in file.p7b -inform DER`
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
`openssl x509` does not support p7b either input or output. Expanding on what @HBruijn says: `openssl pkcs7 -in p7b -inform der -print_certs` to extract the certs and a text tool like awk or perl to split them apart; process each; then concatenate and use the oxymoronic `openssl crl2pkcs7 -nocrl -certfile x` to convert back to p7b.
1
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
Correction: your not-really-correct answer reminded me you want p7b in DER, so make that `openssl crl2pkcs7 -nocrl -certfile concatenated_pem_certs -outform der [-out p7bfile]`.
1
Reply
Score:0
avatar Server
sd flag
gcb

Comments seem to agree there's no way. Best solution i've assembled from other sources is

# convert from DER to PEM, still pkcs7
openssl pkcs7 -inform DER -outform PEM -in FILE.der.p7b -print_certs > FILE.pem.p7b
# create a tmp dir with all the individual certs
mkdir tmp
cd tmp; csplit -z -n 4 ../FILE.pem.p7b '/END CERTIFICATE/+2' {178}
# replace 178 above with the number of certs you expect... or * for all, i believe
# now loop trhu all the files and execute the command
# and finally pack them back up
# TODO:
+ 7
dave_thompson_085 avatar
jp flag
dave_thompson_085
No the output of `pkcs7 -print_certs` is NOT 'still pkcs7'; it is instead a sequence of separate certificates, each in PEM (which you don't need to specify). I told you already how to convert such a sequence of certs back to pkcs7, except I forgot you want DER so add `-outform der`.
1
Reply
sd flag
gcb
i see. i didn't see much difference from the actual p7b and the list i got :) just assumed the list was a p7b... i'm cleaning all this up and will update the answer after testing the whole code now
0
Reply
sd flag
gcb
btw, i'm not set on any format. I just need to get a list that happens to be in p7b, and add a extension `nameConstraints=critical,permitted;DNS...` and then insert the trust chain into a browser.
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
p7b/c is a _single_ ASN.1 object with structure PKCS7 SignedData that _contains_ usually multiple certificates; in PEM it has _one_ set of BEGIN/END lines, although in DER you don't see that. The PEM-sequence-of-certs is a sequence of one or more separate ASN.1 objects each with structure X.509/PKIX Certificate and separate BEGIN/END lines; it doesn't have a supported DER form.
0
Reply
sd flag
gcb
@dave_thompson_085 thanks again. i'm having a hard time to understand this but getting there. too many rfcs and the tools don't work too well with this format. plus the terms are not helpful... what even is a "degenerate structure"? :) ...still trying to wrangle the pem format to hold my new constraint... trying to add it only to the crl if i got these last parts right.
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
'degenerate' here is math jargon, not a moral judgement. (Modern cryptography is mostly math and many cryptographers are at least partly mathematicians.) PKCS7/CMS SignedData was _intended_ and _designed_ to handling signing of data, as the name indicates, but if you create a SignedData with no data and no signatures it can still contain cert(s) and/or CRL(s); that is a 'degenerate case' -- a SignedData that doesn't sign any data. It's kind of like Jack Nicholson's toast in Five Easy Pieces -- a BLT sandwich on toast with the Bacon Lettuce and Tomato all removed from the 'sandwich'. ...
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
For background consider https://stackoverflow.com/questions/56492886/how-to-convert-java-keystore-to-pkcs7-p7b-file and the links there especially in my comment.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.