Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OpenSSL >= 3 #52

Merged
merged 1 commit into from
Aug 22, 2023
Merged

Support OpenSSL >= 3 #52

merged 1 commit into from
Aug 22, 2023

Conversation

tiwilliam
Copy link
Contributor

@tiwilliam tiwilliam commented Aug 17, 2023
edited
Loading

Since the p12 test certificate is encrypted using RC2_CBC I ran into this issue with OpenSSL 3.1.2:

$ openssl pkcs12 -in $TEST_CERT -out server/tmp/out.pem -clcerts -nokeys
Enter Import Password:
Error outputting keys and certificates
40817FF401000000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

$ openssl version
OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)

About the new legacy flag in OpenSSL >= 3:

In the legacy mode, the default algorithm for certificate encryption is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled in the build. The default algorithm for private key encryption is 3DES_CBC. If the legacy option is not specified, then the legacy provider is not loaded and the default encryption algorithm for both certificates and private keys is AES_256_CBC with PBKDF2 for key derivation.

This pull will add the required -legacy flag when splitting the certificate when OpenSSL is used and greater or equal to version 3.

Note: I have not been able to test this on Windows, hence not addressing it.

@hbldh
Copy link
Owner

hbldh commented Aug 18, 2023

Thank you! Is this present for the newest test certificate as well (The FPTestcert4_20230629.p12 one available at https://www.bankid.com/utvecklare/test)? The one included in pybankid is a older version from 2022.

@hbldh hbldh self-assigned this Aug 18, 2023
@tiwilliam
Copy link
Contributor Author

Ahh, it does indeed seem to have switched encryption method in that one and updating it would solve my issue.

PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

@tiwilliam
Copy link
Contributor Author

tiwilliam commented Aug 21, 2023
edited
Loading

@hbldh I've updated this PR to update the certificate instead, let me know if I missed anything.

$ cd bankid/certs/
$ wget https://www.bankid.com/assets/bankid/rp/FPTestcert4_20230629.p12
$ openssl version
OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
$ openssl pkcs12 -in FPTestcert4_20230629.p12 -out FPTestcert4_20230629_key.pem -nodes -nocerts
$ openssl pkcs12 -in FPTestcert4_20230629.p12 -out FPTestcert4_20230629_cert.pem -nokeys

@hbldh hbldh merged commit 4ff609a into hbldh:master Aug 22, 2023
15 checks passed
@hbldh
Copy link
Owner

hbldh commented Aug 22, 2023

Looks good. Merged the PR, will include it in a release later this week. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@hbldh hbldh

Labels
bug enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tiwilliam @hbldh