- changed status to resolved
Loading empty PKCS#12 keystore, then adding entry let writing fail
Issue #294
resolved
This code fails
(let ((ks (make-pkcs12-keystore))
(password "password"))
(define (->template dn sn period public-key)
(define now (current-time))
(define p (duration:of-days period))
(x509-certificate-template-builder
(issuer-dn dn)
(subject-dn dn)
(serial-number sn)
(not-before (time-utc->date now))
(not-after (time-utc->date (add-duration now p)))
(public-key public-key)
(extensions
(list
(make-x509-key-usage-extension
(x509-key-usages digital-signature
key-encipherment
key-agreement
decipher-only)
#t)
(make-x509-private-key-usage-period-extension
(make-x509-private-key-usage-period
:not-before (time-utc->date now))
#t)
(make-x509-basic-constraints-extension
(make-x509-basic-constraints :ca #f))))))
(define kp (generate-key-pair *key:ecdsa*))
(define cert
(sign-x509-certificate-template
(->template subject-dn 1000 1 (key-pair-public kp))
*signature-algorithm:ecdsa-sha256* (key-pair-private kp)))
(define (write-it ks)
(let-values (((out e) (open-bytevector-output-port)))
(write-pkcs12-keystore ks password out)
(e)))
(define (read-it in) (read-pkcs12-keystore password in))
(let ((ks (read-it (open-bytevector-input-port (write-it ks)))))
(pkcs12-keystore-private-key-set! ks "key" (key-pair-private kp)
password (list cert))
(write-it ks)))
This is because the keystore loading depends on the entries to detect privacy descriptor. If there’s no entries, then it must use default one.
Comments (1)
-
reporter - Log in to comment
Using default privacy descriptor in case loading empty PKCS
#12keystore. (Fixes#294)→ <<cset 817d65c01295>>