I am wondering how to extract keys from an Apple .p12 file. From my limited understanding, a .p12 file is a combination of X504 certificates and private keys.

I am seeing that every .p12 file I run into has a X504 certificate and at least one key, and in some situations two keys. This is due to the fact that every .p12 has an Apple developer key, and some have an extra key (possibly an Apple root authorization key). I am considering only those .p12 files with two keys as valid. My goal here is to differentiate between those .p12 files that have one key and those that have two.

So far I have used OpenSSL to be able to inspect X504 files and the keys of any .p12. For example I have this code that does the inspections for all .p12 files in a directory:

Dir.glob('*.p12').each do |p|
  file = File.read(p)
  p12 = OpenSSL::PKCS12.new(file, "")

  # note that this new certificate is in an X509 format
  cert = p12.certificate
  puts p12.inspect()
  puts cert.inspect()
end

This is my output:

#<OpenSSL::PKCS12:0x007fcf33018920>
#<OpenSSL::X509::Certificate subject=/UID=FFBMT4K5/CN=iPhone Distribution: A.H. Belo Management Services, Inc./OU=FFBMT4K5/O=FFBMT4K5/C=US, issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority, serial=36597980220620, not_before=2012-01-11 16:30:22 UTC, not_after=2013-01-10 16:30:22 UTC>

Now my problem is getting keys. If I do something like this:

puts p12.key

I get a long string on encrypted data like this:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4Pet7CZrPr4x/SKjMwy5avXmcguzQlix/vBq+qq7aKQhctKr
d5HE7wk4jWbDGj7Rf9ckeFFMktTTbKYmnKCywCct/uJmgavFl1+t45DIQL2V1JMU
JSXvtjDXoKFweKQgdiha5mBNL70+ivqxMzJJw19E+MhFoZ6tFOgQ5gPLcDLR5WTU
ezxH9RbXGWbq+CMBjJ+lw8/Ako7IOm+d95ZTM6u333qp0dsn+1/I/zGeWE1gJXIl
8mIkvrp7+BDTvXHYALADwXnXijqvd/bANfetsDQ+gxRnc06dFt114JUuptcXGwbg
//ykDzNYhuibQD1Z65KfTB/ntQ1aE5FtHEXirwIDAQABAoIBACNCrt/0pZqP9QXY
B/xYYjeBkz0M2GvtuvhadmoTmIwuLY/xtS5oipVsvJBtKudSMUP4VJ8HHxlkgj7l
S+gAyAOWIH9yvN5WLgIr3PVuG/UJwhIve1jXOVs1DJcAtsAx+WSLrrOtJGv3HXZr
FJsRpr4YkJbtzPwoArjkJsHmllxfT2zeQPMJy+RQ/qlHUqsude/ahC0I3RiW3SgB
EKTNM1vGTEkox8bUUhHqNY3ERlihFpZC2wSkroETDY3RkSjuPkNy7uT/b66a/qjj
qaIA0YLhNOYGdN2llJN5GJjYYVKakpiipqcHCFrV1+JtbFB2tKhqAvK6fjCZcSFF
fW58owECgYEA/g8FvAPcejPR3O8E1ydNWChhd9UZQUeQNCET+lY3Dxwklk+u1140
yw/u2hUoNdJLfev1HtlYruglD9jW/LGoLaPodQfcHcaCSfdJa1mmKfSieApOe15+
ijO3WpZK/MJUTteGVMW/B/QnxPBGtsDo6q2v2YxA7fOhzmImn5hgxlsCgYEA4q/A
DBKe1WDZPUyG3R/Cfl5AEqEHly6VkCPFF+uYFZzep/SN/ez34r7fmcfl0RL7H9kn
Q4WBaCMbCgG9dErORW99usoBsjys5pojstNJDZwACUg9rPnV/+uUqMyocjeN0Vrl
2Vg0dC8HH1hLZPLkp+MAy2nNzmnnHcTKiTqsDT0CgYEApVzfzaXxvvS1t4k37Fbf
h+8YqefhfVT4LoYNO9ccFVCrG88XrYTa9gUT4Yz91DJiAr8vl/m+OHJPlUX9gRKd
tb9HEc2g3xyTN1OmzSHX/t0FVv7WYIR79rZ8tJC4lFZki8DK5aikk6e+rvf5/wAH
WqDcocwhgwAeJHhMTXrgGpsCgYBGYqWx2fJBdNHfK6zQafUdAazJXACcW5WK7OBc
vgU56Lxl0BRqnLKXUAbjm+Lq2Qbqa6W6XHDC4euaXtHxkuybOLQEVIbUTeytqXye
IOaU+DQ2rZyg4e4liYNeKjW/SSqar6ugobefv55piCPY02ZWDrEHd/G0PsPJRXpR
w8r6TQKBgFMoEZKywokRIbMCUHHRR3TVeizBMhbNUUmOiRhzsHZPJ2V63PNp3L1c
0NsRo62mbekXDRH8J0C8fLG4R64Y7+rHBQo0tBpgYepPU0NCrsojF7brtYYb3VqI
baVEPRhIy2tJylDad6M36DeOCIhvXalh8GaV/HhEr4lxykth+mGH
-----END RSA PRIVATE KEY-----

My question is how can I determine whether this certificate has more than one key, and also how I can inspect the keys for information. If what I am asking or my understanding of this issue is fundamentally flawed, please let me know. This is my first time being exposed to certificates and any information will be greatly helpful. Any points in the right direction will be appreciated, thanks in advance.

EDIT:

Using OpenSSL I can view the two shrouded keybags of a .p12. Example:

openssl pkcs12 -in some_p12.p12 -info -noout

output:

Enter Import Password:
MAC Iteration 1
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

So I'm looking for a couple things. Generally speaking, what exactly are these keybags? And also, how can I inspect them/determine how many I have per .p12 file using Ruby. Thanks.

I'm quite late for this one but it also interested me. I've tested creating a p12 file using two of my digital certificates (one expiring in 2023 and the other one in 2027) and this is was the openssl output:

$ openssl pkcs12 -in some_p12.p12 -info -noout

Enter Import Password:
MAC Iteration 1
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048*

When parsing it in ruby using OpenSSL::PKCS12 I noticed one of the certificates could be read from the in ca_certs array and the other from the certificate method:

p12 = OpenSSL::PKCS12.new(file, "1234")
p12.certificate # => The latest one with the further expiry date (2027)
p12.key # => The private key from the certificate

p12.ca_certs # => Array, with the other certificate (expiring in 2023)
p12.ca_certs.count #=> 1

I could read the private key from the certificate using key as usual, however I could not find a way to read the key corresponding the certificate from ca_certs

A .p12 contains only 1 private key, and contains 1 or more public keys. The public keys are the ones that make the chain of trust.

.p12 is a binary format. To convert it and extract to individual certificates, look for example here. The link contains all the openssl commands you need.