search

kaikramer / keystore-explorer

KeyStore Explorer is a free GUI replacement for the Java command-line utilities keytool and jarsigner.
https://keystore-explorer.org/
GNU General Public License v3.0
1.7k stars 275 forks source link

Import of PKCS12 file fails, when current ciphers are used #302

Closed georg-x closed 3 years ago

georg-x commented 3 years ago

Describe the bug Import of PKCS12 file generated by OpenSSL 3.0.0 defaults not possible. Same appears when the file was created in Windows with selected Encryption AES256-SHA256"

Info about working example openssl pkcs12 -info -in example.com.pfx ... PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Bag Attributes localKeyID: XX XX XX A6 3D B5 25 4C 2C 5D A6 9F EE 47 D5 04 3A XX XX XX friendlyName: example.com…

Info about not working example openssl pkcs12 -info -in example.com.pfx ... PKCS7 Data Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256 Bag Attributes localKeyID: XX XX XX 8F 02 83 21 04 A9 1F C8 29 22 85 90 33 1D XX XX XX friendlyName: example.com… Key Attributes:

To Reproduce

  1. Generate a PKCS12 file; P12 or PFX. One time from openssl 1.1.1 or Windows Crypto Extension with TripleDES-SHA1
  2. Import it in a new/empty java keystore -> works
  3. Generate a PKCS12 file; P12 or PFX. One time from openssl 3.0.0 or Windows Crypto Extension with AES256-SHA256
  4. Import it in a new/empty java keystore -> fails

Expected behavior The encryption should be detected automatically and the import from PKCS12 files with current encryption should work. The expected minimum would be, that the error message states that the encryption is not supported. Edit: Screenshot removed.

Screenshots image

Environment

kaikramer commented 3 years ago

I am sure you are aware that OpenSSL 3.0 has been released last month, while Java 8 was released in 2014. Do you really expect Java 8 to support the same algorithms as OpenSSL 3.0?

To make it short, if you use a recent Java runtime (the latest release is Java 17), it will support the newer algorithms for PKCS#12. I can recommend Adoptium.

georg-x commented 3 years ago

Thank you for documenting that behavior here. Works like a charm with newer Java version. Maybe some kind of warning would be nice. Not everyone knows when what feature was added to Java.