WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING!

This is a very, very, very early patch for PKCS#12 support in SSLeay. Don't
rely on anything staying as it is. Function names may change, parameters change
or be deleted entirely. So if you want a nice stable API then this (currently)
isn't it. It has been tested against 'reference' PKCS#12 files and seems to
work but don't expect anything OK?

Still with me? Good. The patch is meant to be applied to SSLeay 0.8.1. To use it
go to the SSLeay main directory and type:
patch -p1 < pkcs12.diff
If you are in luck it will have worked. If SSLeay is not plain 0.8.1 and you
have modified some things (like objects.h) then you may need to apply some of
the patches manually.

If it patches OK then after the usual config commands try:
make links
make errors
make install
If you are still in luck then all will compile OK and you will have a
new application linked into the ssleay binary called pkcs12 (oddly enough).

pkcs12 doesn't anything too clever at the moment. If you do a:
pkcs12 -in test.p12 -out test.pem
and enter a valid password it should dump all certificates and private
keys to 'test.pem'. That is assuming you can find a PKCS#12 file to try it
on.

If you do pkcs12 -export -in test.pem -out test.p12 it will expect to find a
private key and certificate in 'test.pem' and will dump them into a PKCS#12
file 'test.p12'. If you use the option -certsfile file.pem then it will add
all the certificates in that file too. Currently all PKCS#12 files are DER
(well strictly speaking BER with some DER thrown in) and all certificate/key
files are PEM format.

Only the password based encryption modes are supported at present. Enveloping
stuff will be added later.

There is preliminary API documentation in crypto/pkcs12/pkcs12.doc . If you
haven't read the current PKCS#12 draft (posted to the pkcs-tng mailing list,
NOT the draft on www.rsa.com) then this probably wont make much sense.

A quick note about MSIE 4.0 final. The export option exports a PKCS#12 file
containing the certificate chain and private key. However the whole lot is
encrypted using RC2-40 (yes including the private key). The 'pkcs12' app
will happily read these files. I haven't had time to experiment with import
much yet, but it will accept 'pfx' files so you can use my program 'pfx' to
produce a file MSIE 4.0 should import (and it uses stronger encryption for
the private key).

All comments are welcomed. However since I don't get paid for this don't expect
large amounts of free consultancy :-) Large amounts of paid consultancy are
quite another matter however ...

shenson@bigfoot.com
