I'm pretty sure I can find it on my own. Not saying that I won't
thankfully receive links to interesting information, mind you!
That being said, there is currently no support (no deserializer) for
PKIpath in OpenSSL.
(BTW, since it's a SEQUENCE OF, the outermost object in such a DER
file amounts to only one, even though it then contains a series of
certificates, so that's not really part of the discussion here)
Cheers,
Richard
On Fri, 22 May 2020 09:41:53 +0200,
Kyle Hamilton wrote:
>
> There is a format that puts all DER certificates into a single DER-formatted structure. It is
> called PKIpath, and it's defined as `SEQUENCE OF Certificate`. The problem with it is that its
> order was standardized by X.509 2001 TC1 to begin with the root and continue to the leaf, which is
> backwards from how TLS present the certificate chain. (Java's JCA/JCE were specified before that
> corrigendum issued, and its PKIpath validation goes by the convention in use at the time to put
> the leaf certificate first, like pem-certificate-chain.)
>
> I don't have my computer open to get you the PKIX-WG RFCs which define it and specify the same
> order as the TC1, but if you're curious you can chase them down by looking up IANA's list of media
> types and searching for "application/pkix-pkipath".
>
> -Kyle H
>
> On Fri, May 22, 2020, 00:55 Richard Levitte <levitte@xxxxxxxxxxx> wrote:
>
> Generally speaking, OpenSSL hasn't exactly encouraged multiple objects
> in one DER file. While it's theoretically possible to have several
> objects in such a file file, there is code in OpenSSL where that's
> simply not considered. For example, this snippet in the man-page
> 'X509_LOOKUP_file' is quite clear:
>
> Functions X509_load_cert_file and X509_load_crl_file can load both PEM
> and DER formats depending of type value. Because DER format cannot
> contain more than one certificate or CRL object (while PEM can contain
> several concatenated PEM objects) X509_load_cert_crl_file with
> FILETYPE_ASN1 is equivalent to X509_load_cert_file.
>
> The functions described there are also used by functions like
> X509_LOOKUP_load_file().
>
> Note that this may change going forward, as OSSL_STORE is gradually
> entering the scene, and does provide a bit better flexibility in this
> regard.
> (We have recently added an X509_LOOKUP variant that uses OSSL_STORE
> for its object retrieval, see the section 'OSSL_STORE Method' in
> doc/man3/X509_LOOKUP_hash_dir.pod in recent OpenSSL source, such as
> the alpha releases)
>
> Cheers,
> Richard
>
> On Fri, 22 May 2020 00:53:39 +0200,
> paul h. roubekas wrote:
> > I am a complete newbie to this list.
> >
> > I wanted to search the archive but found no such page.
> >
> > I have a requirement to convert all certs in a *.p12 file to a *.der file for use in the
> curl
> > command.
> >
> > The first hop to a *.pem file has all the certs.
> >
> > But the second hop only has one cert. The I read the docs but found nothing that looked
> even
> > close.
> >
> > Hop 1
> >
> > openssl pkcs12 -chain -in trust.p12 -out ww_temp.pem -password {redacted}
> >
> > Hop 2
> >
> > openssl x509 -outform der -in ww_temp.pem -out ww_temp.der
> >
> > The Question) How do I get all the certs in the .der file?
> >
> >
> --
> Richard Levitte levitte@xxxxxxxxxxx
> OpenSSL Project http://www.openssl.org/~levitte/
>
>
--
Richard Levitte levitte@xxxxxxxxxxx
OpenSSL Project http://www.openssl.org/~levitte/
