5

In my php program I try to verify the password for a PKCS#12 file (.p12/.pfx) with this OpenSSL command :

openssl pkcs12 -info -in myDigitalID.p12 -noout -passin pass:mypassword

output:

MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
C4500000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

But I don't understand why it doesn't work! please can any one help? thanks

Wael_al
  • 51
  • 1
  • 1
  • 4
  • What version(s) of OpenSSL were involved in generating the .p12 file, and verification? What OS platform(s) are involved? – leeharvey1 Feb 06 '22 at 18:17
  • I don't know much about how it was generated, because i got it from my university (each student can get a digital ID). For the verification I use OpenSSL 3.0.1 on Windows 10. But I guess it was generated with a different version of OpenSSL, could that be the reason? – Wael_al Feb 07 '22 at 21:17
  • Yes, differing versions, platforms, and CSPs might make a difference. I might try importing it into a certificate store, just to see if it works, and if any additional error information might be revealed. – leeharvey1 Feb 08 '22 at 17:38

1 Answers1

5

If the command used to work in previous OpenSSL version try the following

Failing command:

openssl pkcs12 -info -in myDigitalID.p12 -noout -passin pass:mypassword

Failing command output:

MAC: sha1, Iteration 2000
MAC length: 20, salt length: 8
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Error outputting keys and certificates
0C670000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Ensure you have the legacy library (file named legacy*., e.g. legacy-x64.dll). Instead of configuring environment variables it may be easier to just copy the library as legacy. (e.g. legacy.dll) in both the libraries path and the path containing openssl executable.

Then try command:

openssl pkcs12 -info -in myDigitalID.p12 -noout -passin pass:mypassword -legacy -provider-path "C:\path\to\legacy_dir" -provider default

This time it should work and show something like this:

MAC: sha1, Iteration 2000
MAC length: 20, salt length: 8
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Certificate bag
Jon
  • 156
  • 1
  • 2