Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a way to export PKCS12 in a way compatible with major OS (closes #7293) #7458

Closed
wants to merge 1 commit into from
Closed

Provide a way to export PKCS12 in a way compatible with major OS (closes #7293) #7458

wants to merge 1 commit into from

Conversation

schwabe
Copy link

@schwabe schwabe commented Jul 29, 2022

This mainly to get comments if this is a good way for the API to implement this or if another approach should be taken.

@reaperhulk
Copy link
Member

I think a compatibility class is fine, but there are a lot of questions about what every other serialization method that accepts KeySerializationEncryption will do when (incorrectly) passing this new class. Additionally, we should be very explicit about what this supports (e.g. macOS 12.x and below, Windows Server 2016 and below, Android 12 and below). I'd also like to determine what the minimum degradation is to support this. e.g. can we just do SHA1 MAC and leave it AES256? Or is 3DES a hard requirement?

@schwabe schwabe force-pushed the allow_pkcs12_export_compat branch from 0ccd210 to c66801a Compare July 30, 2022 21:48
@schwabe
Copy link
Author

schwabe commented Jul 31, 2022

In my tests AES128 and AES256 did not work. Only the 3DES and SHA1 were working. I did not test Windows 2016 but for Android and macOS this seems to be a hard requirement. I renamed the security class PKCS12CompatibilityEncryption to make it more clear that it is PKCS12 only. I see your point but I am unsure how a better API would be. Something like doing a special encryption class only for PKCS12?

I have successfully tested generating PKCS12 files using the PKCS12CompatibilityEncryption that worked on Android 12 and macos 15.

@alex alex added this to the Thirty Eighth Release milestone Aug 4, 2022
@schwabe
Provide a way to export PKCS12 in a way compatible with major OS (closes
5ab95cd 
 pyca#7293)

No tests for PKCS12CompatibilityEncryption for other functions taking
KeySerializationEncryption classes, as the DummyKeySerializationEncryption
tests already check for a proper error in this case.
@reaperhulk
Copy link
Member

Obsoleted by #7560, but thanks for working on this, it helped significantly in that other PR's evolution.

@reaperhulk reaperhulk closed this Sep 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
Thirty Eighth Release
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@schwabe @reaperhulk @alex