Open leninmehedy opened 6 months ago
Currently openssl or keytool uses SHA256 to generate MAC data for pkcs12. However, node-forge uses SHA1 as here
openssl
keytool
SHA256
pkcs12
node-forge
SHA1
openssl also allows specifying the macAlgorithm using parameter below:
-macalg val Digest algorithm to use in MAC (default SHA256)
node-forge currently allows reading pkcs12 files generated by other tool and supports detecting the MAC algorithm used as you can find here
We should allow passing a new option called options.macAlgorithm for function p12.toPkcs12Asn1.
options.macAlgorithm
p12.toPkcs12Asn1
Here:
macAlgorithm
options.algorithm
options.encAlgorithm
macAlgorithm must default to sha1 for backward compatibility.
sha1
For example, someone should be allowed to generate pkcs12 using node-forge as below that essentially generates similar to openssl:
const pkcs12Asn1 = forge.pkcs12.toPkcs12Asn1(keypair.privateKey, cert, constants.PFX_DUMMY_PASSWORD, { count: 10000, saltSize: 20, algorithm: `aes256` macAlgorithm: 'sha256' friendlyName: `my-node0`, })
# generate pkcs12 file using openssl openssl pkcs12 -export -out private-node0-openssl.p12 -inkey myKey.pem -in cert.pem -iter 10000 -name my-node0 -macsaltlen 20
I have a fix made locally and will make a PR for your consideration and review.
Background
Currently
openssl
orkeytool
usesSHA256
to generate MAC data forpkcs12
. However,node-forge
usesSHA1
as hereopenssl
also allows specifying the macAlgorithm using parameter below:-macalg val Digest algorithm to use in MAC (default SHA256)
node-forge
currently allows readingpkcs12
files generated by other tool and supports detecting the MAC algorithm used as you can find hereProposal
We should allow passing a new option called
options.macAlgorithm
for functionp12.toPkcs12Asn1
.Here:
macAlgorithm
should be a string similar tooptions.algorithm
oroptions.encAlgorithm
parameter.macAlgorithm
must default tosha1
for backward compatibility.For example, someone should be allowed to generate
pkcs12
usingnode-forge
as below that essentially generates similar toopenssl
: