search

ruby / openssl

Provides SSL, TLS and general purpose cryptography.
Other
238 stars 162 forks source link

Add support for specifying PKCS#12 MAC parameters #772

Open paihu opened 2 weeks ago

paihu commented 2 weeks ago

Issue https://github.com/ruby/openssl/issues/654 closed but it doesn't seem to be resolved.

Here's what we created using the legacy provider:

openssl pkcs12 -in xx.p12 -info -noout -legacy
Enter Import Password:
MAC: sha256, Iteration 1
MAC length: 32, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

It uses sha256 instead of sha1.

current OpenSSL::PKCS12.create not support -macalg

https://github.com/pyca/cryptography/issues/7293#issuecomment-1199167579

rhenium commented 2 weeks ago

You are right, the example code provided in #654 had another error and I skipped the main question.

Should we add a binding for PKCS12_set_mac()?

paihu commented 2 weeks ago

I think adding the PKCS12_set_mac() binding would be beneficial to maintain backward compatibility with legacy OpenSSL.