Thiết kế website giá rẻ

Question

I have a Java application which creates .p12 files (with Bouncycastle (BC)). I’m not able to import the .p12 file created via Java into macOS (macos 11) keychain:

<code>security import mycert-personauth.p12 -k ~/Library/Keychains/login.keychain-db

</code>

<code>security import mycert-personauth.p12 -k ~/Library/Keychains/login.keychain-db </code>

security import mycert-personauth.p12 -k ~/Library/Keychains/login.keychain-db

This prompts for the password and when I enter it fails “Sorry, you entered an invalid password”. If I use the same password with openssl to view the file it works fine:

<code>openssl pkcs12 -in mycert-personauth.p12 -info -nokeys -passin pass:$pw

</code>

<code>openssl pkcs12 -in mycert-personauth.p12 -info -nokeys -passin pass:$pw </code>

openssl pkcs12 -in mycert-personauth.p12 -info  -nokeys -passin pass:$pw

If I create a p12 from the same certs in mycert-personauth.p12 it works.

<code>openssl pkcs12 -export -out ~/test1.pfx -inkey cert/mytest-personauth.key -in cert/mytest-personauth.crt -certfile ca/ca-trust.crt

security import ~/test1.pfx -k ~/Library/Keychains/login.keychain-db

[ GUI prompt for password here ]

1 identity imported.

2 certificates imported.

</code>

<code>openssl pkcs12 -export -out ~/test1.pfx -inkey cert/mytest-personauth.key -in cert/mytest-personauth.crt -certfile ca/ca-trust.crt security import ~/test1.pfx -k ~/Library/Keychains/login.keychain-db [ GUI prompt for password here ] 1 identity imported. 2 certificates imported. </code>

openssl pkcs12 -export -out ~/test1.pfx -inkey cert/mytest-personauth.key -in cert/mytest-personauth.crt -certfile ca/ca-trust.crt
security import ~/test1.pfx -k ~/Library/Keychains/login.keychain-db 
[ GUI prompt for password here ]
1 identity imported.
2 certificates imported.

Here is the non-working mycert-personauth.p12 as reported by openssl:

<code>MAC Iteration 10000

MAC verified OK

PKCS7 Data

Shrouded Keybag: PKCS7 Encrypted data: Certificate bag

Bag Attributes

friendlyName: certandkey

localKeyID: 54 69 6D 65 20 31 37 31 37 37 31 30 30 32 33 39 38 31

subject=/DC=com/DC=contoso/CN=Users/CN=David Bowie

issuer=/DC=com/DC=contoso/CN=Contoso Issuing CA

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

Certificate bag

Bag Attributes

friendlyName: CN=Contoso Issuing CA,DC=contoso,DC=com

subject=/DC=com/DC=contoso/CN=Contoso Issuing CA

issuer=/CN=Contoso Root CA

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

Certificate bag

Bag Attributes

friendlyName: CN=Contoso Root CA

subject=/CN=Contoso Root CA

issuer=/CN=Contoso Root CA

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

</code>

<code>MAC Iteration 10000 MAC verified OK PKCS7 Data Shrouded Keybag: PKCS7 Encrypted data: Certificate bag Bag Attributes friendlyName: certandkey localKeyID: 54 69 6D 65 20 31 37 31 37 37 31 30 30 32 33 39 38 31 subject=/DC=com/DC=contoso/CN=Users/CN=David Bowie issuer=/DC=com/DC=contoso/CN=Contoso Issuing CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Certificate bag Bag Attributes friendlyName: CN=Contoso Issuing CA,DC=contoso,DC=com subject=/DC=com/DC=contoso/CN=Contoso Issuing CA issuer=/CN=Contoso Root CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Certificate bag Bag Attributes friendlyName: CN=Contoso Root CA subject=/CN=Contoso Root CA issuer=/CN=Contoso Root CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </code>

MAC Iteration 10000
MAC verified OK

PKCS7 Data

Shrouded Keybag: PKCS7 Encrypted data: Certificate bag
Bag Attributes
    friendlyName: certandkey
    localKeyID: 54 69 6D 65 20 31 37 31 37 37 31 30 30 32 33 39 38 31 
subject=/DC=com/DC=contoso/CN=Users/CN=David Bowie
issuer=/DC=com/DC=contoso/CN=Contoso Issuing CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Certificate bag
Bag Attributes
    friendlyName: CN=Contoso Issuing CA,DC=contoso,DC=com
subject=/DC=com/DC=contoso/CN=Contoso Issuing CA
issuer=/CN=Contoso Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Certificate bag
Bag Attributes
    friendlyName: CN=Contoso Root CA
subject=/CN=Contoso Root CA
issuer=/CN=Contoso Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Here is the working test1.p12 that imports successfully:

<code>MAC Iteration 2048

MAC verified OK

PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048

Certificate bag

Bag Attributes

localKeyID: F8 AB 55 96 23 95 4F 41 50 87 DB 98 41 DE 3A 78 50 66 2B 6D

subject=/DC=com/DC=contoso/CN=Users/CN=David Bowie

issuer=/DC=com/DC=contoso/CN=Contoso Issuing CA

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

Certificate bag

Bag Attributes: <No Attributes>

subject=/DC=com/DC=contoso/CN=Contoso Issuing CA

issuer=/CN=Contoso Root CA

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

Certificate bag

Bag Attributes: <No Attributes>

subject=/CN=Contoso Root CA

issuer=/CN=Contoso Root CA

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

PKCS7 Data

Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

</code>

<code>MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes localKeyID: F8 AB 55 96 23 95 4F 41 50 87 DB 98 41 DE 3A 78 50 66 2B 6D subject=/DC=com/DC=contoso/CN=Users/CN=David Bowie issuer=/DC=com/DC=contoso/CN=Contoso Issuing CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Certificate bag Bag Attributes: <No Attributes> subject=/DC=com/DC=contoso/CN=Contoso Issuing CA issuer=/CN=Contoso Root CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Certificate bag Bag Attributes: <No Attributes> subject=/CN=Contoso Root CA issuer=/CN=Contoso Root CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 </code>

MAC Iteration 2048
MAC verified OK

PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048

Certificate bag
Bag Attributes
    localKeyID: F8 AB 55 96 23 95 4F 41 50 87 DB 98 41 DE 3A 78 50 66 2B 6D 
subject=/DC=com/DC=contoso/CN=Users/CN=David Bowie
issuer=/DC=com/DC=contoso/CN=Contoso Issuing CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Certificate bag
Bag Attributes: <No Attributes>
subject=/DC=com/DC=contoso/CN=Contoso Issuing CA
issuer=/CN=Contoso Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Certificate bag
Bag Attributes: <No Attributes>
subject=/CN=Contoso Root CA
issuer=/CN=Contoso Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

So there must be some problem in our Java code. Here is the greatly simplified Java code:

<code>// keyPassword is set to same value as the keystore password

public void setPrivateKey(PrivateKey key, String alias, String keyPassword, java.security.cert.Certificate[] chain) {

...

KeyStore keyStore = KeyStore.getInstance("PKCS12");

// chain[0] is subject cert and chain[0-N] is ca trust

keyStore.setKeyEntry(alias, key, keyPassword.toCharArray(), chain);

}

</code>

<code>// keyPassword is set to same value as the keystore password public void setPrivateKey(PrivateKey key, String alias, String keyPassword, java.security.cert.Certificate[] chain) { ... KeyStore keyStore = KeyStore.getInstance("PKCS12"); // chain[0] is subject cert and chain[0-N] is ca trust keyStore.setKeyEntry(alias, key, keyPassword.toCharArray(), chain); } </code>

// keyPassword is set to same value as the keystore password
public void setPrivateKey(PrivateKey key, String alias, String keyPassword, java.security.cert.Certificate[] chain) {
   ...
   KeyStore keyStore = KeyStore.getInstance("PKCS12");
   // chain[0] is subject cert and chain[0-N] is ca trust
   keyStore.setKeyEntry(alias, key, keyPassword.toCharArray(), chain);
   }

Thiết kế website giá rẻ

Danh mục

Import Java created .p12 into macos keychain fails with invalid password