Delphi DLL
Delphi DLL
Rewrite PFX using AES256-SHA256
See more PFX/P12 Examples
Demonstrates how to load a .pfx/.p12, examine the encryption algorithm used, and rewrite using aes256-sha256.Chilkat Delphi DLL Downloads
uses
Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, Pfx, JsonObject;
...
procedure TForm1.Button1Click(Sender: TObject);
var
success: Boolean;
pfx: HCkPfx;
json: HCkJsonObject;
begin
success := False;
pfx := CkPfx_Create();
// Let's load a .pfx and examine the encryption algorithms used to protect the private key:
success := CkPfx_LoadPfxFile(pfx,'qa_data/pfx/test_secret.pfx','secret');
if (success = False) then
begin
Memo1.Lines.Add(CkPfx__lastErrorText(pfx));
Exit;
end;
// Examine the algorithms:
// "pbeWithSHAAnd3_KeyTripleDES_CBC" or "pbes2"?
Memo1.Lines.Add('Algorithm: ' + CkPfx__algorithmId(pfx));
// If the algorithm is "pbes2" then examine the actual encryption and HMAC algorithms used within pbes2.
// (If the algorithm is NOT "pbes2", then the following properties are meaningless and will not be modified from their previous values prior to loading the PFX.)
Memo1.Lines.Add('Pbes2CryptAlg: ' + CkPfx__pbes2CryptAlg(pfx));
Memo1.Lines.Add('Pbes2HmacAlg: ' + CkPfx__pbes2HmacAlg(pfx));
// Our output so far:
// Algorithm: pbeWithSHAAnd3_KeyTripleDES_CBC
// Pbes2CryptAlg: aes256-cbc
// Pbes2HmacAlg: hmacWithSha256
// This tells us that the PFX we loaded was protected using triple-DES with SHA1.
// (Most existing .pfx/.p12 files use 3DES w/ SHA1.)
// The Pbes2CryptAlg and Pbes2HmacAlg properties do not apply here because the AlgorithmId is not equal to "pbes2". We can ignore those values.
// Examine the last JSON data collected in the call to LoadPfxFile. This gives us information about what is contained in the PFX, including extended attributes.
json := CkJsonObject_Create();
CkPfx_GetLastJsonData(pfx,json);
CkJsonObject_putEmitCompact(json,False);
Memo1.Lines.Add(CkJsonObject__emit(json));
// Sample output
// Use this online tool to generate parsing code from sample JSON:
// Generate Parsing Code from JSON
// {
// "authenticatedSafe": {
// "contentInfo": [
// {
// "type": "Data",
// "safeBag": [
// {
// "type": "pkcs8ShroudedKeyBag",
// "attrs": {
// "localKeyId": "16444216",
// "keyContainerName": "{F09B755A-1E90-444D-9851-02B86CA14961}",
// "msStorageProvider": "Microsoft Enhanced Cryptographic Provider v1.0"
// }
// }
// ]
// },
// {
// "type": "EncryptedData",
// "safeBag": [
// {
// "type": "certBag",
// "attrs": {
// "localKeyId": "16444216"
// },
// "subject": "....",
// "serialNumber": "9999999999999999999999999999"
// },
// {
// "type": "certBag",
// "attrs": {
// "authRootSha256Hash": "0vkOXTXKxNQffUTOZq/4heGBX7M5GFhTqH5mwFyb7x4=",
// "friendlyName": "XYZ",
// "enhKeyUsage": [
// {
// "oid": "1.3.6.1.5.5.7.3.2",
// "usage": "clientAuth"
// },
// {
// "oid": "1.3.6.1.5.5.7.3.4",
// "usage": "emailProtection"
// },
// {
// "oid": "1.3.6.1.5.5.7.3.3",
// "usage": "codeSigning"
// },
// {
// "oid": "1.3.6.1.5.5.7.3.8",
// "usage": "timeStamping"
// },
// {
// "oid": "1.3.6.1.4.1.311.10.3.4",
// "usage": "encryptedFileSystem"
// },
// {
// "oid": "1.3.6.1.5.5.8.2.2",
// "usage": "iKEIntermediate"
// },
//
// {
// "oid": "1.3.6.1.5.5.7.3.6",
// "usage": "ipsecTunnel"
// },
// {
// "oid": "1.3.6.1.5.5.7.3.7",
// "usage": "ipsecUser"
// },
// {
// "oid": "1.3.6.1.5.5.7.3.5",
// "usage": "ipsecEndSystem"
// }
// ]
// },
// "subject": "...",
// "serialNumber": "8888888888888888888888888888"
// },
// {
// "type": "certBag",
// "subject": "...",
// "serialNumber": "777777777777777777777777777"
// }
// ]
// }
// ]
// }
// }
// ------------------------------------------------------------------------------------------
// OK... now let's change the AlgorithmId to "pbes2"
CkPfx_putAlgorithmId(pfx,'pbes2');
// We already know from above that the PBES2 crypt and HMAC algorithms are "aes256-cbc" and "hmacWithSha256".
// Let's set them anyway just for the example...
CkPfx_putPbes2CryptAlg(pfx,'aes256-cbc');
CkPfx_putPbes2HmacAlg(pfx,'hmacWithSha256');
// Rewrite the PFX using pbes2/aes256 + sha256
success := CkPfx_ToFile(pfx,'secret','qa_output/test_secret_aes256.pfx');
if (success = False) then
begin
Memo1.Lines.Add(CkPfx__lastErrorText(pfx));
Exit;
end;
Memo1.Lines.Add('Success.');
CkPfx_Dispose(pfx);
CkJsonObject_Dispose(json);
end;