Sample code for 30+ languages & platforms
AutoIt

Rewrite PFX using AES256-SHA256

See more PFX/P12 Examples

Demonstrates how to load a .pfx/.p12, examine the encryption algorithm used, and rewrite using aes256-sha256.

Chilkat AutoIt Downloads

AutoIt
Local $bSuccess = False

$oPfx = ObjCreate("Chilkat.Pfx")

; Let's load a .pfx and examine the encryption algorithms used to protect the private key:
$bSuccess = $oPfx.LoadPfxFile("qa_data/pfx/test_secret.pfx","secret")
If ($bSuccess = False) Then
    ConsoleWrite($oPfx.LastErrorText & @CRLF)
    Exit
EndIf

; Examine the algorithms:

; "pbeWithSHAAnd3_KeyTripleDES_CBC" or "pbes2"?
ConsoleWrite("Algorithm: " & $oPfx.AlgorithmId & @CRLF)

; If the algorithm is "pbes2" then examine the actual encryption and HMAC algorithms used within pbes2.
; (If the algorithm is NOT "pbes2", then the following properties are meaningless and will not be modified from their previous values prior to loading the PFX.)
ConsoleWrite("Pbes2CryptAlg: " & $oPfx.Pbes2CryptAlg & @CRLF)
ConsoleWrite("Pbes2HmacAlg: " & $oPfx.Pbes2HmacAlg & @CRLF)

; Our output so far:

; Algorithm: pbeWithSHAAnd3_KeyTripleDES_CBC
; Pbes2CryptAlg: aes256-cbc
; Pbes2HmacAlg: hmacWithSha256

; This tells us that the PFX we loaded was protected using triple-DES with SHA1.
; (Most existing .pfx/.p12 files use 3DES w/ SHA1.)
; The Pbes2CryptAlg and Pbes2HmacAlg properties do not apply here because the AlgorithmId is not equal to "pbes2".  We can ignore those values.

; Examine the last JSON data collected in the call to LoadPfxFile.  This gives us information about what is contained in the PFX, including extended attributes.
$oJson = ObjCreate("Chilkat.JsonObject")
$oPfx.GetLastJsonData $oJson

$oJson.EmitCompact = False
ConsoleWrite($oJson.Emit() & @CRLF)

; Sample output

; Use this online tool to generate parsing code from sample JSON: 
; Generate Parsing Code from JSON

; {
;   "authenticatedSafe": {
;     "contentInfo": [
;       {
;         "type": "Data",
;         "safeBag": [
;           {
;             "type": "pkcs8ShroudedKeyBag",
;             "attrs": {
;               "localKeyId": "16444216",
;               "keyContainerName": "{F09B755A-1E90-444D-9851-02B86CA14961}",
;               "msStorageProvider": "Microsoft Enhanced Cryptographic Provider v1.0"
;             }
;           }
;         ]
;       },
;       {
;         "type": "EncryptedData",
;         "safeBag": [
;           {
;             "type": "certBag",
;             "attrs": {
;               "localKeyId": "16444216"
;             },
;             "subject": "....",
;             "serialNumber": "9999999999999999999999999999"
;           },
;           {
;             "type": "certBag",
;             "attrs": {
;               "authRootSha256Hash": "0vkOXTXKxNQffUTOZq/4heGBX7M5GFhTqH5mwFyb7x4=",
;               "friendlyName": "XYZ",
;               "enhKeyUsage": [
;                 {
;                   "oid": "1.3.6.1.5.5.7.3.2",
;                   "usage": "clientAuth"
;                 },
;                 {
;                   "oid": "1.3.6.1.5.5.7.3.4",
;                   "usage": "emailProtection"
;                 },
;                 {
;                   "oid": "1.3.6.1.5.5.7.3.3",
;                   "usage": "codeSigning"
;                 },
;                 {
;                   "oid": "1.3.6.1.5.5.7.3.8",
;                   "usage": "timeStamping"
;                 },
;                 {
;                   "oid": "1.3.6.1.4.1.311.10.3.4",
;                   "usage": "encryptedFileSystem"
;                 },
;                 {
;                   "oid": "1.3.6.1.5.5.8.2.2",
;                   "usage": "iKEIntermediate"
;                 },
; 
;                 {
;                   "oid": "1.3.6.1.5.5.7.3.6",
;                   "usage": "ipsecTunnel"
;                 },
;                 {
;                   "oid": "1.3.6.1.5.5.7.3.7",
;                   "usage": "ipsecUser"
;                 },
;                 {
;                   "oid": "1.3.6.1.5.5.7.3.5",
;                   "usage": "ipsecEndSystem"
;                 }
;               ]
;             },
;             "subject": "...",
;             "serialNumber": "8888888888888888888888888888"
;           },
;           {
;             "type": "certBag",
;             "subject": "...",
;             "serialNumber": "777777777777777777777777777"
;           }
;         ]
;       }
;     ]
;   }
; }

; ------------------------------------------------------------------------------------------
; OK... now let's change the AlgorithmId to "pbes2" 

$oPfx.AlgorithmId = "pbes2"

; We already know from above that the PBES2 crypt and HMAC algorithms are "aes256-cbc" and "hmacWithSha256".
; Let's set them anyway just for the example...
$oPfx.Pbes2CryptAlg = "aes256-cbc"
$oPfx.Pbes2HmacAlg = "hmacWithSha256"

; Rewrite the PFX using pbes2/aes256 + sha256
$bSuccess = $oPfx.ToFile("secret","qa_output/test_secret_aes256.pfx")
If ($bSuccess = False) Then
    ConsoleWrite($oPfx.LastErrorText & @CRLF)
    Exit
EndIf

ConsoleWrite("Success." & @CRLF)