PKI.js icon indicating copy to clipboard operation
PKI.js copied to clipboard
verified publisher icon PeculiarVentures

Question: Can PKIjs create universal PFX?

Open microshine opened this issue 7 years ago • 12 comments

Is it possible to create PFX file which can be used in Windows CAPI, OSX KeyChain, NSS and OpenSSL?

I've tried examples from pkijs.org. Created PFX files work with OpenSSL only

microshine avatar Nov 29 '18 14:11 microshine

It possible but only for Node. There is specific example for it in pkijs.

YuryStrozhevsky avatar Nov 29 '18 15:11 YuryStrozhevsky

Yury, I recall you made an example working in browser later? Am I wrong?

If not please describe again what is missing, if I recall correctly we need 3des and rc2?

A polyfill with software implementions of these algorithms would be all that’s needed?

Any links you can provide would be appreciated.

rmhrisk avatar Nov 29 '18 15:11 rmhrisk

The Windows PFX requires 3DES which is absent in browser. And yes, a polyfill could help but anyway existing engine should be modified for this case - existing engine is a "Node-specific".

YuryStrozhevsky avatar Nov 29 '18 16:11 YuryStrozhevsky

And I made a browser example - now existing PKIjs live example could make a correct OpenSSL PFX containers and also could parse any OpenSSL input PFXs.

YuryStrozhevsky avatar Nov 29 '18 16:11 YuryStrozhevsky

@YuryStrozhevsky we need to create a Windows compatible PFX in the browser, do you have examole of this? Its hard to understand from your response.

rmhrisk avatar Nov 29 '18 17:11 rmhrisk

Existing browser example can only make and parse OpenSSL-like data. Node example can make and parse also Windows-like PFXs.

Sent with GitHawk

YuryStrozhevsky avatar Nov 29 '18 17:11 YuryStrozhevsky

Are there any new developments in PFX capability? Using PKI.js, I have created 3 keypairs and 3 certificates: one CA, which signs the other two certificates. Then I can put all 3 certificates and private keys in a PFX, and OpenSSL can read it correctly. But MacOS and Windows don't like the PFX.

Ideally, I would like to create the PFX in the browser and then send it to the OS security manager directly (should not need encryption, since it goes from browser memory directly to security manager, but password-protected would be OK too.)

Is the lack of 3DES and RC2 in SubtleCrypto still the problem?

(I have attached the PKCS#12 that my Javascript creates.) 3PKCS12_pem.txt

spacewrench avatar Feb 21 '20 00:02 spacewrench

You should still encrypt.

You can get 3DES with: https://github.com/PeculiarVentures/webcrypto-liner/blob/master/README.md

See the Node example of how to do it.

Modern Windows also supports AES p12s now.

rmhrisk avatar Feb 21 '20 01:02 rmhrisk

Do you know of a reference or example PKCS#12 structure that PKI.js can make, and Windows can import? (MacOS and Linux too, if possible!) I've tried to adapt the examples in PKCS12SimpleExample, but not having luck getting the right configuration of SafeContents{SafeBags[SafeBag{PKCS8ShroudedKeyBag},SafeBag{CertBag}]} ... etc.

spacewrench avatar Feb 21 '20 04:02 spacewrench

The node example produces a file Windows, OSX and Firefox can open.

https://github.com/PeculiarVentures/PKI.js/tree/master/examples/NodePKCS12Example

For broad compatability with one file you have to use the suites in that sample.

Once you see that work use liner to modify it for use in browser.

https://github.com/PeculiarVentures/webcrypto-liner/blob/master/README.md

Also maybe useful: https://unmitigatedrisk.com/?p=543

rmhrisk avatar Feb 21 '20 05:02 rmhrisk

@rmhrisk Could you please go into more detail?

ikreb7 avatar Oct 19 '23 16:10 ikreb7