Open bkoetter opened 1 month ago
Could you attach a sample p12 file which triggers this error?
cert2.tar.gz
Find the sample files attached. Using the same password to encrypt the p12 and the key file: secPas$4
The problem is that the p12 generated by Smallstep CLI does not contain a value for the parameter field of the "prf" algorithm identifier (see attached pictures). It is should be present and set to NULL, at least according to various RFCs (https://datatracker.ietf.org/doc/html/rfc4231#section-3.1).
That's what Smallstep produces:
Anyway, I guess it's not much helpful in resolution, so there are few possibilities here: it can be reported as a bug in Smallstep project, it can be reported as an enhancement request in the https://github.com/RustCrypto/formats, or I can add a workaround in here, which requires a bit of copy/paste and code duplication from RustCrypto/pkcs5.
@ancwrd1 Thank you so much for folllowing up on this issue and determining the root cause. I understand from your RustCrypto/formats PR that according to RFC4231 the NULL parameter is not a mandatoy requirement. I think that raising this as an enhancement request in the https://github.com/RustCrypto/formats would be the right approach. Thanks for already doing so.
The related PR is merged, I am closing this issue.
On a second thought, it's not added yet to this project, so let's keep it opened.
OS: macOS 14.6.1 on arm64 Rust: 1.81.0 Target: aarch64-apple-darwin p12-keystore: 0.1.3 OpenSSL: 3.3.2 Smallstep CLI: 0.27.4
Reading a p12 file with
KeyStore::from_pkcs12
generated using the following OpenSSL command works fine:openssl pkcs12 -export -inkey domain.key -in domain.crt -out domain.p12
Reading a p12 file generated using Smallstep CLI results in a panic:
step certificate p12 domain.p12 domain.crt domain.key
Code to trigger behaviour:
Output: