pure rust pkcs12 tool
License: MIT OR Apache-2.0
License: Other
Generating certificates using OpenSSL v3.0.2 will return the error
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: IOError(Custom { kind: InvalidData, error: ASN1Error { kind: Invalid } })', controller/src/main.rs:45:6
To solve this problem when generating pkcs12
certificates, the -legacy
option needs to be set. Once pkcs12 certificates are generated using the -legacy
option, it all works fine.
openssl pkcs12 \
-legacy \
-export \
-inkey user.key \
-in user.pem \
-out user.p12 \
-passout pass:""
Update the pkcs12
certificate parsing to handle the OpenSSL v3 generated certificates.
rustc: rustc 1.69.0 (84c898d65 2023-04-16)
lapin: lapin = { version="2.1.2", features = ["rustls", "rustls-native-certs"] }
Operating System: Ubuntu 22.04
Openssl version: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
OpenSSL have a migration guide here that deals with the updates to the PKCS#12 API updates
From https://www.openssl.org/news/cl32.txt:
- The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4,
RC5, DESX and DES have been moved to the legacy provider.
In practice, this means that trying to open an encrypted PKCS#12 bundle generated by p12::EncryptedData::from_safe_bags
using OpenSSL will fail:
$ openssl pkcs12 -in truststore.p12
Enter Import Password:
Error outputting keys and certificates
40976AB7AB730000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
This can be worked around by using the -legacy
flag:
$ openssl pkcs12 -in truststore.p12 -legacy | head -n5
Enter Import Password:
Bag Attributes
2.16.840.1.113894.746875.1.1: <No Values>
subject=CN = secret-operator self-signed
issuer=CN = secret-operator self-signed
-----BEGIN CERTIFICATE-----
[snip]
However, it would still be good to switch to a more modern algorithm.
Hello,
I've posted this question on stack overflow, so I'm not sure I should repeat the entire text. I'm adding the link, but if you think I should add the text here, then I'll do so.
So, as a brief summary. I've recently had problems with p12 library version 0.6.2 during my docker builds.
I didn't have such a problem on local builds, so, after some search, I pinned down the difference to being the version of p12 that was being used.
The failing one uses p12 v0.6.2, and the ones that work use v0.6.0.
Posting the issue here was a suggestion on stack-overflow.
Thank you
I'm trying to convert a pem key/cert into a pkcs12 (so the equivalent of openssl pkcs12 -export -out client.pfx -inkey client_key.pem -in client_crt.pem
).
I'm using the pem crate to get the der encoded data.
Here's the code I'm using to convert:
fn convert<P: AsRef<Path>>(key: P, cert: P, out: P) -> Result<(), Box<dyn std::error::Error>> {
let mut key_buf = Vec::new();
File::open(key).unwrap().read_to_end(&mut key_buf)?;
let key_pem = pem::parse(&key_buf)?;
let mut cert_buf = Vec::new();
File::open(cert).unwrap().read_to_end(&mut cert_buf)?;
let cert_pem = pem::parse(&cert_buf)?;
let pfx = p12::PFX::new(&cert_pem.contents, &key_pem.contents, None, "", "")
.expect("Failed to convert");
let pkcs12der = pfx.to_der();
let mut outf = File::create(out)?;
outf.write_all(&pkcs12der)?;
Ok(())
}
Trying to do openssl pkcs12 -info -in output.pfx
on the created file gives:
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
friendlyName:
localKeyID: [snip]
[correct cert data]
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
friendlyName:
localKeyID: [snip]
Error outputting keys and certificates
140280276436352:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
140280276436352:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509_ALGOR
140280276436352:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
140280276436352:error:2306A065:PKCS12 routines:PKCS12_item_decrypt_d2i:decode error:crypto/pkcs12/p12_decr.c:114:
Any help would be much appreciated :)
I noticed the parse
method which seems to be able to parse an existing bundle into a PFX
struct, but looking at the code I don't really see how I can get the cert, key and CA cert from there? Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.