EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problem Merging Certificate / Private Key to PFX

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#29019
Posted: 03/28/2014 22:35:14
by Luis Mani (Standard support level)
Joined: 07/25/2011
Posts: 4

Hello.
I'm using (SBB 6) PKIBlackbox VCL Version 6.1.150.

What I'm trying to do is to merge a pair of Certificate - Private Key files into one single PFX file, like this.
Both files are in binary format. I may attach them if you need them.
The Private key is password protected. I assume that in the conversion process it's removed, leaving only the PFX password, which could be diferent.


Code
var
  Stream: TFileStream;
  Stream2: TMemoryStream;
  Certificate: TElX509Certificate;
begin
     Stream := TFileStream.Create(FCertFile, fmOpenRead);
     Certificate := TElX509Certificate.Create(nil);
     Certificate.LoadFromStream(Stream);
     Stream.Free;
     Stream := TfileStream.Create(FKeyFile, fmOpenRead);

     //If I don't do this, would get a "Invalid secret key." message
     //when calling LoadKeyFromStream
     TElRSAKeyMaterial(Certificate.KeyMaterial).Passphrase := FPassword;

     Certificate.LoadKeyFromStream(Stream);
     Stream.Free;    
     Stream2 := TMemoryStream.Create;
     Certificate.SaveToStreamPFX(Stream2, FPFXPassword, SB_ALGORITHM_PBE_SHA1_3DES, SB_ALGORITHM_PBE_SHA1_RC2_40);
     Stream2.SaveToFile(FPFXFile);
     Stream2.free;
     Certificate.Free;
end;



Evrything seems to go all right so far.
But when I try to use the PFX file, I can't access the Private Key.


Code
var
  Stream: TFileStream;
  Certificate: TElX509Certificate;
begin
     Stream := TFileStream.Create(edpfx.Text, fmOpenRead);
     Certificate := TElX509Certificate.Create(nil);

     Certificate.LoadFromStreamPFX(Stream, edpass.Text);

     //retrieves original property correctly
     ShowMessage(Certificate.SubjectName.CommonName);
     if Certificate.PrivateKeyExists then  //returns false
       ShowMessage('Private key exists');
     if Certificate.Validate then //returns false
       showmessage('Valid');

     if Certificate.IsKeyValid then //returns false
       showmessage('Valid Key');
     Stream.Free;
     Certificate.free;
end;


What am I missing?
What am I doing wrong?
Thanks in advance.
Regards from Mexico City
#29021
Posted: 03/29/2014 03:32:54
by Eugene Mayevski (EldoS Corp.)

The code looks fine. Please check if Certificate.PrivateKeyExists returns true after you load the key into it (insert the check at line 18 of the first code snippet).

Also it's a good idea to test version 11, as version 6 is very old and it's possible that there was some glitch with the functionality you are trying to use - new version in this case can solve the problem.


Sincerely yours
Eugene Mayevski
#29023
Posted: 03/29/2014 13:59:37
by Luis Mani (Standard support level)
Joined: 07/25/2011
Posts: 4

Hello.

Inserting the check in the first code snippet works fine.
Certificate properties PrivateKeyExists and IsKeyValid both return true.

Debugging the library code, it fails on

function TElPKCS12Message.KeyCorresponds(Certificate : TElX509Certificate;
KeyBuffer : pointer; KeySize : integer) : boolean;

in SBPKCS12 unit when calling
SBRSA.DecodePrivateKey(KeyBuffer, KeySize, nil, CSize, nil, DSize, nil, ESize);
if (CSize <= 0) or (DSize <= 0) or (ESize <= 0) then
Exit;

CSize = 0

Maybe it could help.

Regarding version 11, I will write to HelpDesk to ask about price and process to upgrade the license.
If there is no other way to walk around this issue, I'll have to consider the upgrade, altought it's a "glitch", not an improvement, right?

Thank you very much.
Regards.
#29024
Posted: 03/29/2014 14:06:26
by Eugene Mayevski (EldoS Corp.)

If you can post the PFX so that we could inspect it, we could probably say what's wrong. You can try your code with a test certificate and a private key that we provide (in Certificates folder). If the code exposes he same problem with the test certificate, then I can say about some problem in the code. If it fails only for your certificate, then it can be that the certificate's original data is incorrect and the certificate doesn't match the key that you load.

Quote
lmani wrote:
If there is no other way to walk around this issue, I'll have to consider the upgrade, altought it's a "glitch", not an improvement, right?


From the FAQ:

Quote

Why can't I get bug-fixes for my [old] version of your product for free? I only need bugfixes, not new features.

When you purchase the initial license, certain period of free minor updates and also new version upgrades is included. So you always get updates and fixes and new features for free for at least one year.

But the life time of certain product release is not very long because of two factors:
a) new versions are released frequently, with new features and better compatibility and interoperability with third-party software;
b) our products are monolithic, i.e. a change in code usually requires creation of new build of software package - old version can't be patched or updated in parts.

Due to mentioned factors we don't provide bug fixes for old versions. You can buy a new version with discount and get a new round of free updates and upgrades. That will be a purchase of the new version, not of bug fixes. So if you want to get bug fixes for old version - they are just not available.


Sincerely yours
Eugene Mayevski
#29055
Posted: 03/31/2014 15:15:04
by Luis Mani (Standard support level)
Joined: 07/25/2011
Posts: 4

Hello, Thanks for your answer.

I've Tried with the test Certificate / Private Key provided and it works fine.
The only diference I see it's that the Private Key is not password protected.

I'm Attaching the resulting PFX (with no password) of merging the files I work with. Just change the extension to PFX.

If you need anything else, just let me know.
Best regards.


[ Download ]
#29059
Posted: 03/31/2014 17:01:38
by Ken Ivanov (EldoS Corp.)

Hello Luis,

Please re-check that the the password you are passing to the SaveToStreamPFX() method is not empty. It may sound a bit dumb, but unassigned variable value is one of the most popular reasons for failures of such kind.
#29061
Posted: 03/31/2014 18:01:20
by Luis Mani (Standard support level)
Joined: 07/25/2011
Posts: 4

Hello, Ken.

I've already tried both cases, passing an empty and a non-empty string as Password and the outcome is the same in both cases.

With the test Certificate / Private Key files it works fine in both cases.

Thank you.
Regards.
#29062
Posted: 04/01/2014 00:26:11
by Eugene Mayevski (EldoS Corp.)

Did you check version 11? It doesn't make much sense to invest time into looking for issue that doesn't exist anymore.


Sincerely yours
Eugene Mayevski
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 1089 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!