Add function for dumping P12 files

[laurivosandi]

Hi, P12 parsing seems to be there but it's not yet possible to generate P12 bundles. Is it much of an effort to add the feature?

[wbond]

I think it largely depends on what software you want to be able to read the p12 files. For instance, many of the good algorithm choices for key derivation (PBKDF2) and encryption (AES 128) are only specified in relatively new versions of the PKCS12 spec, and many software platforms don't support them.

The algorithms supported by pretty much any software for reading p12s often are so weak they add a false sense of security.

So I think the complexity here is going to be determining what the different algorithm profiles for p12 files should be made available and documenting what they work with. Technically all of the pieces are available here.

[laurivosandi]

Hi, gaving gone through several protocols (SCEP, OCSP) used in the enterprise I concluded most of them don't achieve what they're supposed to nowadays security-wise. My interest was using P12 bundle to distribute key-certificate pair for a device and transport it over already secured transport (eg. HTTPS). So the only real reason for P12 would be the import compatibility with Firefox and smartphone credential store.

[m32]

I also need to generate pkcs12, so I spent some time creating such code. Do you have any suggestions where should I insert it ? In my opinion, the most convenient place is keys.py or _asymmetric.py. I have only a few identifiers: crypto_funcs, _encrypt_data - opposite to identifiers from _asymmetric and signle function make_pkcs12 (key, cert, othercerts) -> Pfx

[wbond]

All of the other dump_*() functions are in asymmetric, so I'd probably put it in there.