[PKCS12] Generated PKCS12 DER unreadable in iOS, works with openssl CLI about forge HOT 3 CLOSED

There was an error with the "algorithm" option name for creating a PKCS#12 via forge. The option wasn't being properly passed through to the private key encryption API.

This has been fixed now -- the correct option name is "algorithm" not "encAlgorithm", however, "encAlgorithm" will still be accepted for backwards compatibility and should actually do the right now. Before, using "encAlgorithm" would have no effect; the default algorithm for encryption (AES-128 CBC) would be chosen. This is why the algorithm information is not displayed by OpenSSL, as it similarly does not display this information for AES-CBC if you use the: -keypbe AES-128-CBC option when exporting a PKCS#12 via OpenSSL's CLI. If you use "3des" now in forge, OpenSSL will display that information via its CLI.

I'm not sure if this actually fixes the problem you have with loading in iOS. The documentation for SecPKCS12Import does seem to indicate it should accept keys encrypted with AES-128-CBC.

from forge.

It does fix the problem! Thanks!

Looking at the openssl default for encrypting a private key when creating a PKCS#12, 3DES is the default algo, unless specified otherwise. It seems SecPKCS12Import assumes this is the case...

Shouldn't 3DES be the default in forge too? Seems the most compatible option.

from forge.

@matthijsvandenbos, great! As for the default... AES was originally chosen as the default because it was implemented in forge before 3DES. So now that there is 3DES support in forge, AES has precedence. It is also faster and is the effective replacement for 3DES -- which really should only be used for compatibility purposes (with legacy applications) at this point.

from forge.