000019515 - How to import a PKCS #12 that contains only private keys and no corresponding certificates

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019515
Applies ToRSA BSAFE Cert-C 2.0.1
Bug tst00026255 has been filed, requesting that C_ImportPKCS12 correctly handle the import of PKCS #12 files with only private keys and no corresponding certificates
IssueHow to import a PKCS #12 that contains only private keys and no corresponding certificates
C_ImportPKCS12 fails with an 0x727 (E_INVALID_PARAMETER) when importing a PKCS #12 with no certs
CauseA call to C_InsertPrivateKey is made by the toolkit to add the private key to the database SERVICE given to C_ImportPKCS12. Since C_ImportPKCS12 is given a NULL CERT_OBJ, it can't insert the private key and returns an E_INVALID_PARAMETER. Just to note, C_ReadFromPKCS12 does correctly return a PKCS12_BAG whose content.keyContent.cert is NULL. The p12memio.c sample, which uses C_ReadFromPKCS12, fails because it tries to do the same C_InsertPrivateKey.
ResolutionTo correct this issue, obtain a current version of RSA BSAFE Cert-C.

One workaround is available in the Cert-C 2.5 (or later) sample code, or by requesting the updated files from developer support. The p12memio.c sample, which did a PKCS #12 import using C_ReadFromPKCS12 uses the following updated files:

samples/pkcs12/p12memio.c - replacement file

Basically, the p12memio.c file shows the use of C_ReadFromPKCS12 (and it reconstructs another PKCS #12 with the same contents). RSA Security Technical Support was able to use PKCS #12s created using pkcs12exp that contained only RSA private keys and DSA private keys with the modified testcase successfully. The main idea is to use RSAUTIL_InsertPrivateKey in place of C_InsertPrivateKey, since RSAUTIL_InsertPrivateKey will derive the needed info from the private key.
Legacy Article IDa10188