Background
Currently openssl or keytool uses SHA256 to generate MAC data for pkcs12. However, node-forge uses SHA1 as here
openssl also allows specifying the macAlgorithm using parameter below:
-macalg val Digest algorithm to use in MAC (default SHA256)
node-forge currently allows reading pkcs12 files generated by other tool and supports detecting the MAC algorithm used as you can find here
Proposal
We should allow passing a new option called options.macAlgorithm for function p12.toPkcs12Asn1.
Here:
macAlgorithm should be a string similar to options.algorithm or options.encAlgorithm parameter.macAlgorithm must default to sha1 for backward compatibility.
For example, someone should be allowed to generate pkcs12 using node-forge as below that essentially generates similar to openssl:
const pkcs12Asn1 = forge.pkcs12.toPkcs12Asn1(keypair.privateKey, cert, constants.PFX_DUMMY_PASSWORD, {
count: 10000,
saltSize: 20,
algorithm: `aes256`
macAlgorithm: 'sha256'
friendlyName: `my-node0`,
})
# generate pkcs12 file using openssl
openssl pkcs12 -export -out private-node0-openssl.p12 -inkey myKey.pem -in cert.pem -iter 10000 -name my-node0 -macsaltlen 20
Background
Currently
opensslorkeytoolusesSHA256to generate MAC data forpkcs12. However,node-forgeusesSHA1as hereopensslalso allows specifying the macAlgorithm using parameter below:-macalg val Digest algorithm to use in MAC (default SHA256)node-forgecurrently allows readingpkcs12files generated by other tool and supports detecting the MAC algorithm used as you can find hereProposal
We should allow passing a new option called
options.macAlgorithmfor functionp12.toPkcs12Asn1.Here:
macAlgorithmshould be a string similar tooptions.algorithmoroptions.encAlgorithmparameter.macAlgorithmmust default tosha1for backward compatibility.For example, someone should be allowed to generate
pkcs12usingnode-forgeas below that essentially generates similar toopenssl: