Making PKCS12 Stores in Ruby (& where's PKCS8)?

ruby-talk
1

I'm fairly new to Ruby, but very comfortable with OpenSSL. I thought it
would be a good learning exercise to "require 'openssl'" and build
certificates.

I have an existing Root CA and an Intermediate CA, and I can build
appropriate certificates in Ruby. I'm failing on making a PKCS12.

I want to include a chain, so I build an Array:
chain = [root_ca, ca_ca]

Now I want to build a PKCS12 structure - but, I have two problems:

1) I have encrypted my private key, and the 'keyenc' below is failing as
not a valid PKey.
bundle = OpenSSL::PKCS12::create(pass_phrase, "myP12", keyenc, cert,
chain)

So I simplify it and use the non-encrypted key:
bundle = OpenSSL::PKCS12::create(pass_phrase, "", pkey, cert)

and this can be written out with a ".to_der", but it isn't a valid
PKCS12!

If I keep it PEM formatted, the whole structure looks like a ruby object
of some sort, not P12.
2) What is wrong with the output? It looks like this:
#<OpenSSL::PKCS12:0x2aa8c60>

I tried passing 'bundle' into a ::PKCS1::new with (bundle.to_der)- but
it errors.

Also: Where where might one find a roadmap? The support for OpenSSL is
really quite good
in Ruby (ECC, e.g.), but I do need a PKCS#8 function.

···

--
Posted via http://www.ruby-forum.com/.

2

I normally hate being this guy, but: my advice is don't go down this road.
TLS is terrible. PKI is terrible. OpenSSL is terrible. However, these
things are all somewhat salvageable. The Ruby OpenSSL binding, on the other
hand, is frozen into the standard library, a prison from which it will
never escape, and worse, you should probably abandon any plans of your code
working on any other Ruby implementation than MRI provided you do get
something fixed.

···

On Fri, May 31, 2013 at 5:19 PM, Carlo M. <lists@ruby-forum.com> wrote:

I'm fairly new to Ruby, but very comfortable with OpenSSL. I thought it
would be a good learning exercise to "require 'openssl'" and build
certificates.

I have an existing Root CA and an Intermediate CA, and I can build
appropriate certificates in Ruby. I'm failing on making a PKCS12.

I want to include a chain, so I build an Array:
chain = [root_ca, ca_ca]

Now I want to build a PKCS12 structure - but, I have two problems:

1) I have encrypted my private key, and the 'keyenc' below is failing as
not a valid PKey.
bundle = OpenSSL::PKCS12::create(pass_phrase, "myP12", keyenc, cert,
chain)

So I simplify it and use the non-encrypted key:
bundle = OpenSSL::PKCS12::create(pass_phrase, "", pkey, cert)

and this can be written out with a ".to_der", but it isn't a valid
PKCS12!

If I keep it PEM formatted, the whole structure looks like a ruby object
of some sort, not P12.
2) What is wrong with the output? It looks like this:
#<OpenSSL::PKCS12:0x2aa8c60>

I tried passing 'bundle' into a ::PKCS1::new with (bundle.to_der)- but
it errors.

Also: Where where might one find a roadmap? The support for OpenSSL is
really quite good
in Ruby (ECC, e.g.), but I do need a PKCS#8 function.

--
Posted via http://www.ruby-forum.com/\.

--
Tony Arcieri

3

I'm not doing anything with OpenSSL, but I am curious. If you don't recommend somebody going down this path, what's the options? Particularly in the case of the OP question where he obviously has done quite a bit to try to get stuff to work.

···

On May 31, 2013, at 9:32 PM, Tony Arcieri wrote:

I normally hate being this guy, but: my advice is don't go down this road. TLS is terrible. PKI is terrible. OpenSSL is terrible. However, these things are all somewhat salvageable. The Ruby OpenSSL binding, on the other hand, is frozen into the standard library, a prison from which it will never escape, and worse, you should probably abandon any plans of your code working on any other Ruby implementation than MRI provided you do get something fixed.

4

See:

and

···

--
Tony Arcieri