Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKCS12 #114

merged 2 commits into from
Apr 5, 2021

PKCS12 #114

merged 2 commits into from
Apr 5, 2021


Copy link

@hannesm hannesm commented Jun 4, 2019

this works for me, but should get some tests and also a way to construct PKCS12 files (enc/dec should be factored out into PKCS8 / Private_key module to get all the benefits in there)... the plan here is to only support "good" (i.e. not known weak ciphers) for encryption, such as AES-128/192/256-CBC (that's also the reason the RC2 encryption is not in
what is supported?

  • parts of PKCS7 (data, encryptedData), nothing else
  • parts of PKCS5 (v2, PBES2, PBKDF2), no PBES1/PBKDF1
  • parts of PKCS12 (only password-based privacy and integrity, the custom PBES and KDF as written in PKCS12 -- also rc2 (40/128), rc4 (40/128), 3des (no 2des))

this is based on #113 and gmap-extension (only most recent commit is relevant here)

the asn is a bit ugly to work around the lack of ANY defined BY in asn1-combinators (I manually merged the grammars in question to avoid ambiguous grammar exceptions)

Copy link
Member Author

hannesm commented Apr 4, 2021

I added some documentation. What is still missing here is construction (and encryption) of a PKCS12 container. Also some tests would be good to have.

Copy link
Member Author

hannesm commented Apr 5, 2021

done, ready to be merged and released.

@hannesm hannesm merged commit 4629cc4 into mirleft:main Apr 5, 2021
@hannesm hannesm deleted the p12 branch April 5, 2021 00:01
avsm pushed a commit to ocaml/opam-repository that referenced this pull request Apr 6, 2021

* FEATURE PKCS12 support (mirleft/ocaml-x509#114 by @hannesm)
* FEATURE ECDSA and EDDSA support via mirage-crypto-ec (mirleft/ocaml-x509#145 by @hannesm)
  This breaks some clients since the Private_key.t and Public_key.t variants
  are extended (may result in partial pattern matches of users of this library).
* CRL.is_revoked has `crls` as last parameter to avoid warning 16
  (4.12 compatibility) (mirleft/ocaml-x509#144 by @hannesm)
* Signing_request.sign: add optional labelled argument `~subject` to allow
  changing the subject when signing a signing request (mirleft/ocaml-x509#139 by @reynir)
* BUGFIX Encoding of Distinguished_name components (adhere to specification)
  DomainComponent and EMail are now serialised using a IA5String; Serialnumber,
  CountryName and DnQualifier as PrintableString (reported in mirleft/ocaml-x509#69, fixed mirleft/ocaml-x509#140
  by @NightBlues)
* BREAKING Remove `~sloppy` from Private_key.decode_{pem,der}. The seemingly
  bad RSA keys were valid and should have been accepted by mirage-crypto.
  (mirleft/ocaml-x509#142 by @psafont)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

Successfully merging this pull request may close these issues.

None yet

1 participant