Support different MAC Algorithms to generate PKCS12 wrapper

[leninmehedy]

Background

Currently openssl or keytool uses SHA256 to generate MAC data for pkcs12. However, node-forge uses SHA1 as here

openssl also allows specifying the macAlgorithm using parameter below:

-macalg val Digest algorithm to use in MAC (default SHA256)

node-forge currently allows reading pkcs12 files generated by other tool and supports detecting the MAC algorithm used as you can find here

Proposal

We should allow passing a new option called options.macAlgorithm for function p12.toPkcs12Asn1.

Here:

• macAlgorithm should be a string similar to options.algorithm or options.encAlgorithm parameter.

• macAlgorithm must default to sha1 for backward compatibility.

  For example, someone should be allowed to generate pkcs12 using node-forge as below that essentially generates similar to openssl:

  const pkcs12Asn1 = forge.pkcs12.toPkcs12Asn1(keypair.privateKey, cert, constants.PFX_DUMMY_PASSWORD, {
      count: 10000,
      saltSize: 20,
      algorithm: `aes256`
      macAlgorithm: 'sha256'
      friendlyName: `my-node0`,
  })
  

  # generate pkcs12 file using openssl
  openssl pkcs12 -export -out private-node0-openssl.p12 -inkey myKey.pem -in cert.pem -iter 10000 -name my-node0 -macsaltlen 20
  

[leninmehedy]

I have a fix made locally and will make a PR for your consideration and review.