vcert icon indicating copy to clipboard operation
vcert copied to clipboard
verified publisher icon Venafi

Error converting PKCS#12 archive file to PEM blocks: pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1

Open Sparc0 opened this issue 3 years ago • 2 comments

PROBLEM SUMMARY Unable to use vcert getcred to generate new token. My new p12 file was generated using java keytool and i guess vcert does not know how to handle it based on the error i get. My old p12 file was generated on Windows. I can use CURL to request a token using the same p12 file so my file is not the problem.

STEPS TO REPRODUCE How i generated my p12 file.

keytool -genkey \
-alias cba_cert \
-validity 180 \
-keyalg RSA \
-keysize 2048 \
-keystore certfile.pfx \
-dname "REDACTED"

I then had the certificate signed by our CLM instance and imported it back into the file.

./vcert getcred -u https://clm-api.com --p12-file certfile.pfx --p12-password secret --client-id MyID --scope "certificate:manage" --format json Error converting PKCS#12 archive file to PEM blocks: pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1 EXPECTED RESULTS

{
  "access_token": "REDACTED==",
  "expires_in": 1296000,
  "expires": 1672933356,
  "token_type": "Bearer",
  "scope": "certificate:manage",
  "identity": "local:{REDACTED}",
  "refresh_until": 1672933356
}

ACTUAL RESULTS Error converting PKCS#12 archive file to PEM blocks: pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1

ENVIRONMENT DETAILS Tried vcert version v4.23.0 & v4.20.0 same error.

java --version 
openjdk 11.0.17 2022-10-18 LTS

OpenSSL info of my old and new p12 file. Old

openssl pkcs12 -info -in old.pfx -noout 
Enter Import Password:
MAC Iteration 2000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Data
Certificate bag
Certificate bag
Certificate bag

New

openssl pkcs12 -info -in certfile.pfx -noout
Enter Import Password:
MAC Iteration 10000
MAC verified OK
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Certificate bag
Certificate bag
Certificate bag

COMMENTS/WORKAROUNDS Generate a token using the same p12 file but with CURL works.

Sparc0 avatar Dec 21 '22 16:12 Sparc0

I was running into this issue with Venafi as well, but found exporting the pfx with these extra options resolved this issue: openssl pkcs12 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -export -macalg sha1 .......

taken from: https://discuss.hashicorp.com/t/azure-service-principal-client-certificate-error/32037?msclkid=9351d13bd12411ec96deb763dd60b7af

ry29 avatar Mar 07 '23 17:03 ry29

We will investigate the issue to confirm which options should be used for p12 bundle. If there is an issue we will plan as needed

rvelaVenafi avatar Aug 23 '23 16:08 rvelaVenafi