search

PeculiarVentures / PKI.js

PKI.js is a pure JavaScript library implementing the formats that are used in PKI applications (signing, encryption, certificate requests, OCSP and TSP requests/responses). It is built on WebCrypto (Web Cryptography API) and requires no plug-ins.
http://pkijs.org
Other
1.25k stars 204 forks source link

UTF-8 chars in password break PKCS #12 #404

Open pboguslawski opened 2 months ago

pboguslawski commented 2 months ago

PKCS #12 file generated with code from https://github.com/PeculiarVentures/PKI.js/issues/403 and password with UTF-8 chars i.e. żółw cannot be opened in openssl...

$ openssl version
OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

$ openssl pkcs12 -info -in test.p12 
Enter Import Password:  // correct password "źółw" is typed
MAC: sha256, Iteration 600000
MAC length: 32, salt length: 64
Warning: using broken algorithm
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 600000, PRF hmacWithSHA256
Error outputting keys and certificates
40E7243F357F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:124:
40E7243F357F0000:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:86:maybe wrong password

$ openssl pkcs12 -info -in test.p12 
Enter Import Password: // incorrect password "bad" is typed
MAC: sha256, Iteration 600000
MAC length: 32, salt length: 64
Mac verify error: invalid password?

...nor imported to Firefox:

Failed to decode the file. Either it is not in PKCS #12 format, has been corrupted, or the password you entered was incorrect.

No such problem when password contains ASCII chars only i.e. zolw123!@#.