Giters

digitalbazaar / forge

A native implementation of TLS in Javascript and tools to write crypto-based and network-heavy webapps

Home Page:https://digitalbazaar.com/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support different MAC Algorithms to generate PKCS12 wrapper

leninmehedy opened this issue · comments

commented

Background

Currently openssl or keytool uses SHA256 to generate MAC data for pkcs12. However, node-forge uses SHA1 as here

openssl also allows specifying the macAlgorithm using parameter below:

-macalg val Digest algorithm to use in MAC (default SHA256)

node-forge currently allows reading pkcs12 files generated by other tool and supports detecting the MAC algorithm used as you can find here

Proposal

We should allow passing a new option called options.macAlgorithm for function p12.toPkcs12Asn1.

Here:

  • macAlgorithm should be a string similar to options.algorithm or options.encAlgorithm parameter.
  • macAlgorithm must default to sha1 for backward compatibility.

For example, someone should be allowed to generate pkcs12 using node-forge as below that essentially generates similar to openssl:

const pkcs12Asn1 = forge.pkcs12.toPkcs12Asn1(keypair.privateKey, cert, constants.PFX_DUMMY_PASSWORD, {
       count: 10000,
       saltSize: 20,
       algorithm: `aes256`
       macAlgorithm: 'sha256'
       friendlyName: `my-node0`,
})


# generate pkcs12 file using openssl
openssl pkcs12 -export -out private-node0-openssl.p12 -inkey myKey.pem -in cert.pem -iter 10000 -name my-node0 -macsaltlen 20
commented

I have a fix made locally and will make a PR for your consideration and review.