Open gdmeunier opened 1 year ago
kaikramer
commented
1 year ago One of the next releases of KSE will focus on improvements for PKCS#12 processing and generation. I will consider your feature request then.
In general these are called "bag attributes". I have adapted the title accordingly.
Bag Attributes
localKeyID: D4 33 68 30 7E EE 82 7F F9 DA 4C EE 6E 1D 27 CC C2 37 90 CA
Microsoft CSP Name: Microsoft Enhanced RSA and AES Cryptographic Provider
gdmeunier
commented
9 months ago Update I actually now have a way of manually adding or modifying bag attributes of PKCS12 files. I had to use ASN.1 Editor from PKI Solutions.
Its latest version also added tabbed documents, which is a very nice feature. That means it's now possible to directly copy-paste ASN.1 elements from one file to another.
You should probably check it out too, it acts as a sort of forensic ASN.1 inspector.
kaikramer
commented
9 months ago I'm glad you've found a solution!
Is your feature request related to a problem? Please describe. There's no problem in KSE, it works fine. So this is a feature request.
Sometimes when dealing with applications that need P12 keystores to work such as CA servers, I get errors due to them having been created by tools that embed the wrong CSP property bag or none at all.
That means when I import an average P12 keystore into a Windows keystore, it gets bound to a CSP ('cryptographic services' providers, not just the 'key storage' ones) that doesn't support the more advanced cryptographic algorithms.
The current Windows CSP limitations are:
I regularly need to use OpenSSL to temporarily expose the P12 material as PEM to re-create a P12 file with the correct CSP PropertyBag.
(not that often actually, but when a need to use P12, then I always do.) I currently re-create the P12 keystores this way:
openssl.exe pkcs12 -in "input.p12" -out "output.pem"openssl.exe pkcs12 -export -in "output.pem" -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -out "output.pfx"If I don't do this, then my self-hosted CA services will not be able to use SHA-256 for digitally signing anything, nor be able to use 4096-bit RSA.
In .NET you would get an error prompt claiming that the SHA256WithRSA signature algorithm is invalid (or doesn't exist).
Describe the solution you'd like I would really like to streamline the direct editing of P12 keystores within Keystore Explorer without doing any conversion to PEM first, by having perhaps a context menu or menubar item that could be named 'Edit P12 property bags' followed a standard ListView that will contain a property name & a property value column.
There could be a pen-icon button next to them for editing, and a general save button for the edit dialog. This way I don't create any PEM file, and the material always stays in P12 form.
Describe alternatives you've considered So far I do this way to modify the CSP property bag:
openssl.exe pkcs12 -in "input.p12" -out "output.pem"openssl.exe pkcs12 -export -in "output.pem" -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -out "output.pfx"I would however think that adding property editing support to Keystore Explorer would make it even more complete, and perhaps it would benefit more than just me for many use-cases that I might not have thought of right now.
Additional context P12 keystores can contain a CSP property bag.
Windows when importing a P12 keystore will bind it to the CSP that corresponds to this property bag's value. If it's the wrong one or if there's none, the private key material gets bound to the lower capacity cryptographic services providers and you will get errors when trying to use algorithms such as SHA-256 & RSA 4096-bit.
Editing this attribute currently requires (for me) to recreate an entirely new P12 file. That means temporarily exposing the P12 data in PEM form, then having it again in P12 form with the proper CSP value embedded.
Then I can finally remove the old key & certificate from the Windows certificate store and re-import it using the corrected P12 file. Now it becomes available for use with stronger cryptographic algorithms.