Hi there,

I have a use case that is currently unsupported but would like to get implemented if possible.
I am working with an Authenticode code signing certificate issued by DigiCert.
When using decode chain the decode fails as exactly two items are expected in the Authenticated Safe.

It appears that the implementation this is based on had all the certificate bags in one item in the Authenticated Safe and then the PKCS8ShroundedKeyBag in a separate bag under a separate item in the Authenticated Safe, but the PFX PDU that I am using has the shrouded key and all of the cert bags together in a single item within the Safe.

The error is thrown in getSafeContents in pkcs12.go here https://github.com/SSLMate/go-pkcs12/blob/01f6600bb3869be1db8ab7b801c02a76dc56280d/pkcs12.go#L406C2-L406C2 , it would appear from the spec https://www.rfc-editor.org/rfc/rfc7292 that the possibility of >=1 items in the Authenticated Safe is a possibility.

I would be happy to put together a pull request and discuss further if this sounds like something you would like to incorporate.

Thanks.

I think it would be appropriate for DecodeChain to support decoding PKCS#12 files which are structured like this, and I would review a PR that adds support. Please base the PR on the encoder branch.

(Thank you for opening an issue for discussion before starting on a PR!)