Issue summary

Generating certificates using OpenSSL v3.0.2 will return the error

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: IOError(Custom { kind: InvalidData, error: ASN1Error { kind: Invalid } })', controller/src/main.rs:45:6

To solve this problem when generating pkcs12 certificates, the -legacy option needs to be set. Once pkcs12 certificates are generated using the -legacy option, it all works fine.

Generating pkcs12 certificate

openssl pkcs12                   \
    -legacy          \
    -export          \
    -inkey user.key  \
    -in user.pem     \
    -out user.p12    \
    -passout pass:""

Resolution

Update the pkcs12 certificate parsing to handle the OpenSSL v3 generated certificates.

Rust details

rustc: rustc 1.69.0 (84c898d65 2023-04-16)
lapin: lapin = { version="2.1.2", features = ["rustls", "rustls-native-certs"] }

System details

Operating System: Ubuntu 22.04
Openssl version: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Helpful information

OpenSSL have a migration guide here that deals with the updates to the PKCS#12 API updates

⚠️ This issue was originally filed here, but was directed towards this crate instead.

From https://www.openssl.org/news/cl32.txt:

• The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4,
  RC5, DESX and DES have been moved to the legacy provider.

In practice, this means that trying to open an encrypted PKCS#12 bundle generated by p12::EncryptedData::from_safe_bags using OpenSSL will fail:

$ openssl pkcs12 -in truststore.p12 
Enter Import Password:
Error outputting keys and certificates
40976AB7AB730000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

This can be worked around by using the -legacy flag:

$ openssl pkcs12 -in truststore.p12 -legacy | head -n5
Enter Import Password:
Bag Attributes
    2.16.840.1.113894.746875.1.1: <No Values>
subject=CN = secret-operator self-signed
issuer=CN = secret-operator self-signed
-----BEGIN CERTIFICATE-----
[snip]

However, it would still be good to switch to a more modern algorithm.

Hello,
I've posted this question on stack overflow, so I'm not sure I should repeat the entire text. I'm adding the link, but if you think I should add the text here, then I'll do so.

https://stackoverflow.com/questions/71151465/crate-p12-rust-error-e0599-no-method-name-decrypt-padded-vecfound-for-str?noredirect=1#comment125778229_71151465

So, as a brief summary. I've recently had problems with p12 library version 0.6.2 during my docker builds.
I didn't have such a problem on local builds, so, after some search, I pinned down the difference to being the version of p12 that was being used.
The failing one uses p12 v0.6.2, and the ones that work use v0.6.0.
Posting the issue here was a suggestion on stack-overflow.

Thank you

I'm trying to convert a pem key/cert into a pkcs12 (so the equivalent of openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_crt.pem).

I'm using the pem crate to get the der encoded data.

Here's the code I'm using to convert:

fn convert<P: AsRef<Path>>(key: P, cert: P, out: P) -> Result<(), Box<dyn std::error::Error>> {
    let mut key_buf = Vec::new();
    File::open(key).unwrap().read_to_end(&mut key_buf)?;
    let key_pem = pem::parse(&key_buf)?;

    let mut cert_buf = Vec::new();
    File::open(cert).unwrap().read_to_end(&mut cert_buf)?;
    let cert_pem = pem::parse(&cert_buf)?;

    let pfx = p12::PFX::new(&cert_pem.contents, &key_pem.contents, None, "", "")
        .expect("Failed to convert");

    let pkcs12der = pfx.to_der();

    let mut outf = File::create(out)?;
    outf.write_all(&pkcs12der)?;

    Ok(())
}

Trying to do openssl pkcs12 -info -in output.pfx on the created file gives:

Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
    friendlyName:
    localKeyID: [snip]

[correct cert data]

PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
    friendlyName:
    localKeyID: [snip]
Error outputting keys and certificates
140280276436352:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
140280276436352:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509_ALGOR
140280276436352:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
140280276436352:error:2306A065:PKCS12 routines:PKCS12_item_decrypt_d2i:decode error:crypto/pkcs12/p12_decr.c:114:

Any help would be much appreciated :)

I noticed the parse method which seems to be able to parse an existing bundle into a PFX struct, but looking at the code I don't really see how I can get the cert, key and CA cert from there? Thanks!

https://docs.rs/const-oid/0.6.2/const_oid/