how to work with x509 certificate bundles with openssl

Question

Is it possible to work with x509 certificates in a pkcs7 bundle file?

I need to sign all certificates in a bundle with extra x509 extensions. e.g. (if they were a single x509 crt file) openssl x509 -CA corp-ca.crt -CAkey corp-ca.key -randserial -sha256 -extensions sub_ca -extfile sub_ca.cfg -in sub-ca.crt -out with-extensions-ca.crt

the p7b file have dozens of certificates, but they are not chained. Just a bundle.

AFAIK the [`openssl x509` subcommand](https://www.openssl.org/docs/man1.1.1/man1/x509.html) only supports PEM and DER formats and I *think* that means that you'll first need to extract the PKCS #7 bundle , do what needs to be done and recreate the bundle. — HBruijn, Jun 22 '23 at 18:59
i'm not well versed on pkcs... but my bundle is in DER format, just bundled. i.e. `-in file.p7b -inform DER` — gcb, Jun 22 '23 at 19:44
`openssl x509` does not support p7b either input or output. Expanding on what @HBruijn says: `openssl pkcs7 -in p7b -inform der -print_certs` to extract the certs and a text tool like awk or perl to split them apart; process each; then concatenate and use the oxymoronic `openssl crl2pkcs7 -nocrl -certfile x` to convert back to p7b. — dave_thompson_085, Jun 23 '23 at 01:56
Correction: your not-really-correct answer reminded me you want p7b in DER, so make that `openssl crl2pkcs7 -nocrl -certfile concatenated_pem_certs -outform der [-out p7bfile]`. — dave_thompson_085, Jun 26 '23 at 04:58

score 0 · Answer 1 · answered Jun 26 '23 at 00:47

0

Comments seem to agree there's no way. Best solution i've assembled from other sources is

# convert from DER to PEM, still pkcs7
openssl pkcs7 -inform DER -outform PEM -in FILE.der.p7b -print_certs > FILE.pem.p7b
# create a tmp dir with all the individual certs
mkdir tmp
cd tmp; csplit -z -n 4 ../FILE.pem.p7b '/END CERTIFICATE/+2' {178}
# replace 178 above with the number of certs you expect... or * for all, i believe
# now loop trhu all the files and execute the command
# and finally pack them back up
# TODO:

answered Jun 26 '23 at 00:47

gcb

344
1
4
18

1

No the output of `pkcs7 -print_certs` is NOT 'still pkcs7'; it is instead a sequence of separate certificates, each in PEM (which you don't need to specify). I told you already how to convert such a sequence of certs back to pkcs7, except I forgot you want DER so add `-outform der`. – dave_thompson_085 Jun 26 '23 at 04:57
i see. i didn't see much difference from the actual p7b and the list i got :) just assumed the list was a p7b... i'm cleaning all this up and will update the answer after testing the whole code now – gcb Jul 05 '23 at 17:41
btw, i'm not set on any format. I just need to get a list that happens to be in p7b, and add a extension `nameConstraints=critical,permitted;DNS...` and then insert the trust chain into a browser. – gcb Jul 05 '23 at 17:43
p7b/c is a _single_ ASN.1 object with structure PKCS7 SignedData that _contains_ usually multiple certificates; in PEM it has _one_ set of BEGIN/END lines, although in DER you don't see that. The PEM-sequence-of-certs is a sequence of one or more separate ASN.1 objects each with structure X.509/PKIX Certificate and separate BEGIN/END lines; it doesn't have a supported DER form. – dave_thompson_085 Jul 06 '23 at 06:26
@dave_thompson_085 thanks again. i'm having a hard time to understand this but getting there. too many rfcs and the tools don't work too well with this format. plus the terms are not helpful... what even is a "degenerate structure"? :) ...still trying to wrangle the pem format to hold my new constraint... trying to add it only to the crl if i got these last parts right. – gcb Jul 07 '23 at 15:03
'degenerate' here is math jargon, not a moral judgement. (Modern cryptography is mostly math and many cryptographers are at least partly mathematicians.) PKCS7/CMS SignedData was _intended_ and _designed_ to handling signing of data, as the name indicates, but if you create a SignedData with no data and no signatures it can still contain cert(s) and/or CRL(s); that is a 'degenerate case' -- a SignedData that doesn't sign any data. It's kind of like Jack Nicholson's toast in Five Easy Pieces -- a BLT sandwich on toast with the Bacon Lettuce and Tomato all removed from the 'sandwich'. ... – dave_thompson_085 Jul 10 '23 at 03:28
For background consider https://stackoverflow.com/questions/56492886/how-to-convert-java-keystore-to-pkcs7-p7b-file and the links there especially in my comment. – dave_thompson_085 Jul 10 '23 at 03:33

how to work with x509 certificate bundles with openssl

1 Answers1