search

alexandercerutti / passkit-generator

The easiest way to generate custom Apple Wallet passes in Node.js
MIT License
893 stars 109 forks source link

Generating certificate wiki might need updaing #154

Closed fabiancook closed 1 year ago

fabiancook commented 1 year ago

Running OS

macOS Ventura 13.4.1

Running Node openssl Version

openssl version -a                                                                            
OpenSSL 3.1.1 30 May 2023 (Library: OpenSSL 3.1.1 30 May 2023)
built on: Tue May 30 12:13:24 2023 UTC
platform: darwin64-arm64-cc
options:  bn(64,64)
compiler: clang -fPIC -arch arm64 -O3 -Wall -DL_ENDIAN -DOPENSSL_PIC -D_REENTRANT -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/opt/homebrew/etc/openssl@3"
ENGINESDIR: "/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/engines-3"
MODULESDIR: "/opt/homebrew/Cellar/openssl@3/3.1.1_1/lib/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_armcap=0x187d

Description

Using the instructions provided here: https://github.com/alexandercerutti/passkit-generator/wiki/Generating-Certificates

On macOS Ventura you get back the output:

Error outputting keys and certificates
005E04F401000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Expected behavior

For the .pem file to be created as per the steps

Steps to reproduce

Running:

openssl pkcs12 -in pass.p12 -clcerts -nokeys -out signerCert.pem

Updated steps:

 openssl pkcs12 -in pass.p12 -clcerts -nokeys -out signerCert.pem -legacy

Source

The .pem exports after using -legacy

Other info:

Hope this helps anyone else running into this!

alexandercerutti commented 1 year ago

Hi @fabiancook, thank you very much for your issue! It is very precious for passkit-generator.

So, if I understand correctly, some tools are still generating the P12 in a "legacy mode" (RC2-40-CBC) and newer OpenSSL versions might, therefore, require the -legacy flag to parse them correctly.

That's fine, but there are still a few things that are not yet clear to me and that I'd like to ask you (if you have any clue) so we can document it better on wiki:

1) Were you using MacOS Ventura to generate the PKCS#12 file, or were you following the "terminal steps"?

2) If the answer to question one is "terminal", what happens if you generate it with Ventura?

3) Do you perhaps have any idea on how could we identify which kind of algorithm has been used on PKCS#12? So we can indicate whether one should add the legacy flag.

Thank you!

EDIT: Maybe we might use this command? Do you have a certificate that does not require -legacy perhaps?

immagine
fabiancook commented 1 year ago

I was using the "Keychain Access" on macOS Ventura application to generate the p12 file

... I can say that I have fully integrated since posting this issue and am able to generate passes perfectly!

Generated Pass

![image](https://github.com/alexandercerutti/passkit-generator/assets/4337080/5f777f02-3917-414b-ae92-6051780bf215)

alexandercerutti commented 1 year ago

Sorry @fabiancook but I didn't quite get what you mean by "I can say that I have fully integrated since posting this".

fabiancook commented 1 year ago

I was meaning I had got this working for my use case and that the keys/certs created using -legacy worked on my machine with this module.

For questions 2 + 3 I would be taking a step back in the process to generate them again.

alexandercerutti commented 1 year ago

I will make some attempts later if you are not able to do them.

fabiancook commented 1 year ago

I tried the docs for "Generate certificates through Terminal" and didn't get errors running those commands, but I can't spot where the p12 file is generated from terminal?

e.g . there are these two commands listed in step 8/9 here https://github.com/alexandercerutti/passkit-generator/wiki/Generating-Certificates#generate-certificates-through-terminal 

 openssl x509 -inform DER -outform PEM -in pass.cer -out signerCert.pem
 openssl x509 -inform DER -outform PEM -in pass.cer -out wwdr.pem

Is this what you were meaning? I get signerCert.pem.... but isn't there meant to be a cert and key?

alexandercerutti commented 1 year ago

@fabiancook you are right, I forgot steps through terminal do not involve P12 creation 😅

So what we are saying is that Keychain Access on Ventura is not yet updated to work through the new algorithm and that version of OpenSSL, isn't it?

p.s. I have LibreSSL installed on my system, so I don't know the differences there.

fabiancook commented 1 year ago

Correct.

Going through the Keychain Access process on Ventura, and exporting the p12 key of the private key + certificate together, from Keychain Access, requires the use of -legacy when creating the .pem files based on the .p12 file exported.

alexandercerutti commented 1 year ago

I think we should try to create, if possible, a p12 starting from a cert and a key through OpenSSL/LibreSSL and check the algorithm it gets signed with and check what the info command reports. So by doing this way we are able to discriminate the case.

alexandercerutti commented 1 year ago

Okay, I've tried to install OpenSSL 3.1.2 and attempted to pack a P12. This is a comparison between a PKCS12 I obtained in the previous months (but also one that I tried to generate through LibreSSL) and a new one I tried to create through my signerCert.pem and my signerKey.pem.

immagine

So I guess we could write in the wiki that:

1) To check the OpenSSL / LibreSSL version. OpenSSL >v3.0.0 added this change in 2021 (version's changelog) while LibreSSL didn't (yet?) (changelog) 2) Add -legacy if using an OpenSSL > v3.0.0 and if the p12 generated is encrypted through RC2-CBC

What do you think?

alexandercerutti commented 1 year ago

I've updated the wiki! Let me know what you think of it! Here, on step 7, I've added a link to a whole new paragraph: https://github.com/alexandercerutti/passkit-generator/wiki/Generating-Certificates#generate-certificates-through-macos