pkcs12 generation for EC key types using javascript

I’m generating p12 for EC keytypes using Forge library. https://github.com/digitalbazaar/forge/issues/777

This library already providing p12 for RSA key types, Now, I’m trying to enhance to ECC keytypes.

  1. Generating pem format Privatekey, certs into asn1 format private key. Here I’ve written ECPrivateValidator to validate and convert into asn1 format private key.
  class: asn1.Class.UNIVERSAL,   tag: asn1.Type.SEQUENCE,   capture: 'privateKeyInfo',   value: [{     name: 'PrivateKeyInfo.Version',     class: asn1.Class.UNIVERSAL,     tag: asn1.Type.INTEGER,     capture: 'privateKeyVersion'   }] }``` Can you guide me if you have any thoughts on it? 

Java KeyStore vs OpenSSL implementations of pkcs12 files -They seem to differ. Do they?

I generated a pkcs12 keystore in Java and wanted to inspect it with OpenSSL, but OpenSSL threw back an error. After a bit of head scratching I realized that the KeyStore format in Java allows you to have different passwords on the store itself and the pkcs8 encrypted key inside, while OpenSSL seems to assume that both passwords have to be the same. I can easily inspect a pkcs12 file created in Java if both the file and key passwords are the same, but get an error when they differ:

Bag Attributes     friendlyName: usercert     localKeyID: 54 69 6D 65 20 31 35 38 38 30 32 32 30 31 38 30 37 31  Error outputting keys and certificates 139815467680960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: 139815467680960:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:62: 139815467680960:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:93:  

Have I missed something or is it correct to say that the pkcs12 impementations differ slightly?

I’m looking for a way to be able to inspect pkcs12 files with OpenSSL where the two passwords differ. Any help would be appreciated.

Can I use PBKDF2 derivation function to generate a MAC in PKCS12 file?

It seems that the default password based key derivation function that is used by PKCS12 to generate a MAC is this one. It is unique to the standard and probably not used anywhere else. Is it possible to use PBKDF2 instead to generate a MAC? Surely I can use PBES2 scheme with PBKDF2 to protect key bags, but how do I encode this information for the whole file’s MAC? Is it possible in principle? So far my attempts to use it resulted in files that are not recognized both by OpenSSL and Windows tools.

Convert private SSL certificate to PKCS12 format for JKS Keystore [migrated]

I got the following files from company certificate provider.

jenkins.int.XX.com.key XX_Inc_Private_Root_CA.base64.cer XX_Inc_Private_Root_CA.crt XX_Inc_Private_SSL_CA.509.cer XX_Inc_Private_SSL_CA.509.pem 

Here is the two commands I run to convert:

openssl pkcs12 -export -out jenkins_keystore.p12 -passout 'pass:changeit' -inkey jenkins.int.xx.com.key -in XX_Inc_Private_Root_CA.base64.cer  error message: No certificate matches private key    openssl pkcs12 -export -out jenkins_keystore.p12 -passout 'pass:changeit' -inkey jenkins.int.xx.com.key -in XX_Inc_Private_SSL_CA.509.cer  error message: unable to load certificates  

What is the right way to do it?

Can a PKCS12 keystore be FIPS compliant?

Is it possible to generate a PKCS12 keystore that will be FIPS compliant? In regular mode, I’m using "1.2.840.113549.1.12.1.3" - pbeWithSHAAnd3-KeyTripleDES-CBC(3) algorithm to encrypt private keys, while leaving the certificate bags unencrypted. However it seems that this algorithm is not approved for FIPS, so I need to switch to something different. I figured that I can use "2.16.840.1.101.3.4.1.42" - aes256-CBC(42) and also PBKDF2 to calculate MAC, but so far I’m having problems with the code and I’m not sure if it is supposed to work that way. So, is it even possible to have PKCS12 keystores FIPS compliant, or am I simply doing something wrong and need to fix my code? Google gives me contradictory answers and I’m not sure which is correct.

Which format is the PKCS12 successor?

The documentation of a PKCS12 implementation for Go states the following:

It is intended for decoding P12/PFX files for use with the crypto/tls package, and for encoding P12/PFX files for use by legacy applications which do not support newer formats. Since PKCS#12 uses weak encryption primitives, it SHOULD NOT be used for new applications.

I am wondering: which are the new formats succeeding PKCS12?