I'm trying to extract informations from a client certificate encrypted in PKCS#12 in Common Lisp.

I've tried with the following steps:

1. Load the given p12 file onto BIO with d2i_PKCS12_bio
2. Verify the password with PKCS12_verify_mac
3. Parse the file with PKCS12_parse

Here's the actual CFFI code:

(defun load-pkcs12 (file &optional passphrase)
  (openssl-add-all-digests)
  (pkcs12-pbe-add)
  ;; 1. Load the given p12 file
  (let ((content (slurp-file file)))
    (cffi:with-pointer-to-vector-data (data-sap content)
      (let* ((bio (bio-new-mem-buf data-sap (length content)))
             (p12 (d2i-pkcs12-bio bio (cffi:null-pointer)))
             (pkey (evp-pkey-new))
             (cert (x509-new)))
        (unwind-protect
             (progn
               ;; 2. Verify the passphrase
               (let ((res (pkcs12-verify-mac p12 (or passphrase (cffi:null-pointer)) (length passphrase))))
                 (when (zerop res)
                   (error (format nil "Error while verifying mac~%~A" (get-errors)))))

               ;; 3. Parse the file
               (cffi:with-foreign-objects ((*pkey :pointer)
                                           (*cert :pointer))
                 (setf (cffi:mem-ref *pkey :pointer) pkey
                       (cffi:mem-ref *cert :pointer) cert)
                 (let ((res
                         (pkcs12-parse p12
                                       (or passphrase (cffi:null-pointer))
                                       *pkey
                                       *cert
                                       (cffi:null-pointer))))
                   (when (zerop res)
                     (error "Error in pkcs12-parse~%~A" (get-errors)))))
               (pkcs12-free p12)

               ;; 4. Show the result
               (let ((bio (cl+ssl::bio-new (bio-s-mem))))
                 (unwind-protect
                      (progn
                        (x509-print-ex bio cert 0 0)
                        (bio-to-string bio))
                   (bio-free bio))))
          (evp-pkey-free pkey)
          (x509-free cert))))))

However, the result from X509_print_ex is always meaningless:

Certificate:
Data:
    Version: 1 (0x0)
    Serial Number: 0 (0x0)
    Signature Algorithm: itu-t
    Issuer: 
    Validity
        Not Before: Bad time value

It looks fine when I tried it with openssl command, so I assume the p12 file is okay:

$ openssl pkcs12 -in sslcert.p12 -clcerts -nokeys
Enter Import Password: <input passphrase>
MAC verified OK
Bag Attributes
    localKeyID: 31 0E 0D 31 05 8D 20 13 BA B3 81 85 57 AD 28 52 9F D0 19 BE
subject=/C=JP/ST=Tokyo/L=Minato/O=<company>/OU=Development/CN=<user>/[email protected]
issuer=/C=JP/ST=Tokyo/O=<company>/OU=Development/CN=SuperUser Intermediate CA/[email protected]
-----BEGIN CERTIFICATE-----
...PEM-encoded certificate...
-----END CERTIFICATE-----

The full snippets of mime is on gist. The main function is load-pkcs12, at the bottom of the file.

(load-pkcs12 #P"/path/to/sslcert.p12" "password")

Can anybody help here?

What I referred

• pyopenssl's equivalent (Written in Python)
• StackOverflow - Q. Password verification of PKCS12 file failed
• StackOverflow - Q. Common Lisp CFFI: pointer to the pointer
• StackOverflow - Q. How to load a PKCS#12 file in OpenSSL programmatically

I think the problem with that code is the allocation of pkey and cert as empty objects with evp-pkey-new and x509-new respectively.

The following code accomplishes something similar; note the use of cffi:foreign-alloc and cffi:mem-ref.

(define-condition ssl-pkcs12-error (error)
  ((texto :initarg :texto :initform nil :reader ssl-pkcs12-error-texto)))

(defun ssl-pkcs12-descifra (archivo contra salida)
  (let ((fp (cffi:foreign-funcall "fopen" :string archivo :string "rb" :pointer)))
    (when (cffi:null-pointer-p fp)
      (error 'ssl-pkcs12-error :texto (format nil "No pudo abrise el archivo: ~s" archivo)))
    (let ((p12 (d2i-pkcs12-fp fp (cffi:null-pointer))))
      (cffi:foreign-funcall "fclose" :pointer fp :int)
      (when (cffi:null-pointer-p p12)
        (error 'ssl-pkcs12-error :texto "Error leyendo el archivo PKCS#12"))
      (let* ((pkey (cffi:foreign-alloc :pointer))
             (cert (cffi:foreign-alloc :pointer))
             (res (pkcs12-parse p12 contra pkey cert (cffi:null-pointer))))
        (pkcs12-free p12)
        (when (zerop res)
          (error 'ssl-pkcs12-error :texto "Error interpretando el archivo PKCS#12"))
        (let ((fp (cffi:foreign-funcall "fopen" :string salida :string "w" :pointer)))
          (when (cffi:null-pointer-p fp)
            (error 'ssl-pkcs12-error
                   :texto (format nil "No pudo crearse el archivo: ~s" salida)))
          (unless (cffi:null-pointer-p (cffi:mem-ref pkey :pointer))
            (pem-write-privatekey fp (cffi:mem-ref pkey :pointer)
                                  (cffi:null-pointer) (cffi:null-pointer)
                                  0 (cffi:null-pointer) (cffi:null-pointer))
            (evp-pkey-free (cffi:mem-ref pkey :pointer)))
          (unless (null-pointer-p (cffi:mem-ref cert :pointer))
            (pem-write-x509 fp (cffi:mem-ref cert :pointer))
            (x509-free (cffi:mem-ref cert :pointer)))
          (cffi:foreign-free pkey)
          (cffi:foreign-free cert)
          (cffi:foreign-funcall "fclose" :pointer fp :int))))))