Pkpass每年签名更新后生成失败

huangapple go评论60阅读模式
英文:

Pkpass generation fails after yearly signature renewal

问题

我正在通过AWS Lambda函数生成pkpass文件。到目前为止,我一直在使用certificate.pem、private.key和wwdr.pem证书与wallet-3kpy(https://github.com/pretix/wallet-py3k)库。现在,一年过去了,证书需要更新。因此,我经历了生成.p12文件的过程,以从中提取certificate.pem和private.key。wwdr.pem我没有更改。现在生成pkpass时,出现了来自openssl的DecryptFail消息。我通过一个专用的lambda层向lambda函数提供了openssl11。而对于新的pkpass,我使用了不同的openssl版本。这可能是原因吗?

英文:

I am generating the pkpass files via an AWS Lambda function. So far I have been using the certificate.pem, private.key and wwdr.pem certificates with wallet-3kpy(https://github.com/pretix/wallet-py3k) library. Now, after a year, the certificate needs to be renewed. So I went through the process of generating the .p12 file in order to extract the certificate.pem and private.key out of it. The wwdr.pem I did not touch. The generation of the pkpass now fails with DecryptFail messages from openssl. I have provided openssl11 to the lambda function via a dedicated lambda layer. And for the new pkpass I used a different openssl version. Could that be the reason?

答案1

得分: 1

可能是您的 .p12 文件中的密钥与证书不匹配。

要检查:

提取证书和密钥(将 file.p12 替换为您的 .p12 文件名)。

openssl pkcs12 -in file.p12 -clcerts -nokeys -out certificate.pem
openssl pkcs12 -in file.p12 -nocerts -out privatekey.pem

获取每个的模数:

openssl rsa -noout -modulus -in privatekey.pem | openssl md5
openssl x509 -modulus -noout -in certificate.pem | openssl md5

如果它们不匹配,那么您的证书可能使用了错误的密钥。

英文:

It is possible that the key in your .p12 file doesn't match the certificate.

To check:

Extract the certificate and key (replace file.p12 with your .p12 filename).
:

openssl pkcs12 -in file.p12 -clcerts -nokeys -out certificate.pem
openssl pkcs12 -in file.p12 -nocerts -out privatekey.pem

Get the modulus for each:

openssl rsa -noout -modulus -in privately.pem | openssl md5
openssl x509 -modulus -noout -in certificate.pem | openssl md5

If they don't match, then you have the wrong key for your certificate.

答案2

得分: 0

我以错误的方式生成了 private.key。

正确的两个步骤如下:

  1. 通过以下方式使用 .p12 文件创建 certificate.pem:
     openssl pkcs12 -in your_p12_file.p12 -out certificate.pem -nodes
  1. 通过以下方式从 certificate.pem 创建 private.key:
    openssl rsa -in certificate.pem -out private.key

与 wwdr.pem 一起(苹果证书也需要是 .pem 格式),可以使用 wallet-py3k 库签署 pkpass 文件。

英文:

I generated the private.key in the wrong way.

The correct 2 steps are:

  1. Create the certificate.pem with the .p12 file via:
     openssl pkcs12 -in your_p12_file.p12 -out certificate.pem -nodes
  1. Create the private.key out of the certificate.pem via:
    openssl rsa -in certificate.pem -out private.key

Together with the wwdr.pem (the apple certificate needs to be in .pem too), pkpass files can be signed via the wallet-py3k library.

huangapple
  • 本文由 发表于 2023年6月5日 20:39:06
  • 转载请务必保留本文链接:https://go.coder-hub.com/76406505.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定