-
-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Newer pkcs12 file format reverses cert chain order #281
Comments
Are you sure the certs aren't in the opposite order in the PKCS#12 archive? |
yes, I imported the same ca chain into pkcs12 using older and newer openssl and observed the opposite behavior with the following test: use openssl::pkcs12::Pkcs12; fn main() -> Result<(),Box>{
} |
Yes. openssl "fixed" the reverse behavior in 3.0 beta2. They now treat the original format as a legacy. I found a PR in other crates to handle this situation. ancwrd1/pki-rs#1 |
"Very cool" It seems like the pki-rs approach is the least-bad option here. |
I see in many of the Identity::from_pkcs12 functions the comment:
// > The stack is the reverse of what you might expect due to the way
But it appears in the newer pkcs12 file format the chain is coming out reversed.
I verified that with the older format, the reversal in the code is necessary, but
in the newer format, the reversal is causing the chain to be present in opposite
order and thus causing the server to not recognize the client cert/chain.
Note: This is diferent from the other issue rgd the newer pkcs12 format where the
cipher used is no longer supported.
The text was updated successfully, but these errors were encountered: