PKCS12 encryption algorithm setting

[sake]

This pull request adds the ability to configure the encryption algorithm used for cert and key encryption in a PKCS12 container.

According to PKCS5 v2.0, the AES-256-CBC algorithm is not allowed as an encryption scheme. It has been added in v2.1. But there are legacy systems such as Android, which are not capable of decrypting such a PKCS12 container. The code which has been present before these changes used PDE-3Key-3DES for the cert encryption, but the default in openssl (AES-256-CBC) for key encryption. This merge request sets both schemes to the same value, so if 3DES is selected in the options, then both key and cert get encrypted that way. By doing that importing a PKCS12 file on Android works.

[sake]

Provides a fix for #360

[teward]

Just a note: but on newer systems where these encryption algos and such are part of "legacy" in OpenSSL nowadays, even with a configure screen like this, the OpenSSL API won't have 'legacy' enabled for this, which is confirmed in tests from #383 - you can't export what you also can't import in the OpenSSL world of things.

Not sure if this can be accepted on its own without OpenSSL having legacy options/algos/ciphers enabled in the API calls as well.

[chris2511]

Compiles on my mac with vanilla openssl 3.0.7

[Lotusshaney]

This still happens in v2.5.0

[gertvdijk]

@Lotusshaney What exactly happens instead for you and what did you select in the newly introduced "PKCS12 encryption algorithm" option?

[Lotusshaney]

I have tried both PBE-SHA1-3DES and AES-256-CBC for the PKCS12 algorithm.

Both times importing the pfx into a keychain fails with "Sorry, you entered an invalid password."

If I convert the pfx using OpenSSL 3 with the "legacy" option the resulting pfx will import using the password without problem into the keychain

openssl pkcs12 -in xca.pfx -out xca.pem openssl pkcs12 -export -in xca.pem -out xca2.pfx -legacy