New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't import cryptography generated pkcs12 into macos keychain #7293
Comments
What happens if you try this using |
with 36.0.2 it imports just fine. |
Okay, this looks like another manifestation of the OpenSSL 3 transition. Tagging this as a bug we need to get resolved for 38. |
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
We should figure out why these aren't loading in macOS, and figure out if there's some action we should be pushing Apple to take -- e.g. are they rejecting valid PKCS#12 files? |
@alex I don't think the PKCS#12 files are valid, because the same thing also happened to me with some Windows machines. |
Unfortunately that's not sufficient to say whether they're valid. Different vendors may have the same bug, or implement the same limited set of OIDs, so we really need an analytic inquiry into the cause of the incompatibility. |
#7043 has some openssl commands to troubleshoot those PKCS#12 files. If a recent version of openSSL can't read them, I think you can be confident that it's a invalid file. Most likely MacOS has the same issue as windows, where it doesn't support AES256 as encryption for the PKCS#12 file. |
At least for me OpenSSL can read the files. |
And what's the output from command below?
With a OpenSSL v3, try converting the PFX to 3DES + SHA1 MAC. Does that work?
|
So I did some testing/work on this and the same seems to be true for Android as well. I can import pkcs12 when I use SHA1 as macalg but it breaks as soon as I change it to SHA256:
works
is broken. Digging into the OpenSSL source itself suggests that the macalg function is calling
with |
pyca#7293) No tests for PKCS12CompatibilityEncryption for other functions taking KeySerializationEncryption classes, as the DummyKeySerializationEncryption tests already check for a proper error in this case.
pyca#7293) No tests for PKCS12CompatibilityEncryption for other functions taking KeySerializationEncryption classes, as the DummyKeySerializationEncryption tests already check for a proper error in this case.
Versions:
Cryptography installed with poetry 1.2.0b1
I'm trying to create a self-signed certificate with cryptography, which mostly works, but it fails to import to macos (12.1) keychain. If I export the same certificate & private key as a chained PEM file and then use the
openssl
command line tool to convert it into a p12, I can successfully import it.This is the code I use to try to export the p12 using cryptography:
However, if instead I do this, macos is happy to import it:
Am I using
serialize_key_and_certificates
wrong?The text was updated successfully, but these errors were encountered: