(Visual FoxPro) Rewrite PFX using AES256-SHA256

Demonstrates how to load a .pfx/.p12, examine the encryption algorithm used, and rewrite using aes256-sha256.

Note: This example requires Chilkat v9.5.0.83 or greater.

Chilkat ActiveX Downloads ActiveX for 32-bit and 64-bit Windows

LOCAL loPfx
LOCAL lnSuccess
LOCAL loJson

* This example requires Chilkat v9.5.0.83 or greater.

* For versions of Chilkat < 10.0.0, use CreateObject('Chilkat_9_5_0.Pfx')
loPfx = CreateObject('Chilkat.Pfx')

* Let's load a .pfx and examine the encryption algorithms used to protect the private key:
lnSuccess = loPfx.LoadPfxFile("qa_data/pfx/test_secret.pfx","secret")
IF (lnSuccess = 0) THEN
    ? loPfx.LastErrorText
    RELEASE loPfx
    CANCEL
ENDIF

* Examine the algorithms:

* "pbeWithSHAAnd3_KeyTripleDES_CBC" or "pbes2"?
? "Algorithm: " + loPfx.AlgorithmId

* If the algorithm is "pbes2" then examine the actual encryption and HMAC algorithms used within pbes2.
* (If the algorithm is NOT "pbes2", then the following properties are meaningless and will not be modified from their previous values prior to loading the PFX.)
? "Pbes2CryptAlg: " + loPfx.Pbes2CryptAlg
? "Pbes2HmacAlg: " + loPfx.Pbes2HmacAlg

* Our output so far:

* Algorithm: pbeWithSHAAnd3_KeyTripleDES_CBC
* Pbes2CryptAlg: aes256-cbc
* Pbes2HmacAlg: hmacWithSha256

* This tells us that the PFX we loaded was protected using triple-DES with SHA1.
* (Most existing .pfx/.p12 files use 3DES w/ SHA1.)
* The Pbes2CryptAlg and Pbes2HmacAlg properties do not apply here because the AlgorithmId is not equal to "pbes2".  We can ignore those values.

* Examine the LastJsonData for the call to LoadPfxFile.  This gives us information about what is contained in the PFX, including extended attributes.
loJson = loPfx.LastJsonData()
loJson.EmitCompact = 0
? loJson.Emit()

RELEASE loJson

* Here's a sample LastJsonData:

* Use this online tool to generate parsing code from sample JSON: 
* Generate Parsing Code from JSON

* {
*   "authenticatedSafe": {
*     "contentInfo": [
*       {
*         "type": "Data",
*         "safeBag": [
*           {
*             "type": "pkcs8ShroudedKeyBag",
*             "attrs": {
*               "localKeyId": "16444216",
*               "keyContainerName": "{F09B755A-1E90-444D-9851-02B86CA14961}",
*               "msStorageProvider": "Microsoft Enhanced Cryptographic Provider v1.0"
*             }
*           }
*         ]
*       },
*       {
*         "type": "EncryptedData",
*         "safeBag": [
*           {
*             "type": "certBag",
*             "attrs": {
*               "localKeyId": "16444216"
*             },
*             "subject": "....",
*             "serialNumber": "9999999999999999999999999999"
*           },
*           {
*             "type": "certBag",
*             "attrs": {
*               "authRootSha256Hash": "0vkOXTXKxNQffUTOZq/4heGBX7M5GFhTqH5mwFyb7x4=",
*               "friendlyName": "XYZ",
*               "enhKeyUsage": [
*                 {
*                   "oid": "1.3.6.1.5.5.7.3.2",
*                   "usage": "clientAuth"
*                 },
*                 {
*                   "oid": "1.3.6.1.5.5.7.3.4",
*                   "usage": "emailProtection"
*                 },
*                 {
*                   "oid": "1.3.6.1.5.5.7.3.3",
*                   "usage": "codeSigning"
*                 },
*                 {
*                   "oid": "1.3.6.1.5.5.7.3.8",
*                   "usage": "timeStamping"
*                 },
*                 {
*                   "oid": "1.3.6.1.4.1.311.10.3.4",
*                   "usage": "encryptedFileSystem"
*                 },
*                 {
*                   "oid": "1.3.6.1.5.5.8.2.2",
*                   "usage": "iKEIntermediate"
*                 },
* 
*                 {
*                   "oid": "1.3.6.1.5.5.7.3.6",
*                   "usage": "ipsecTunnel"
*                 },
*                 {
*                   "oid": "1.3.6.1.5.5.7.3.7",
*                   "usage": "ipsecUser"
*                 },
*                 {
*                   "oid": "1.3.6.1.5.5.7.3.5",
*                   "usage": "ipsecEndSystem"
*                 }
*               ]
*             },
*             "subject": "...",
*             "serialNumber": "8888888888888888888888888888"
*           },
*           {
*             "type": "certBag",
*             "subject": "...",
*             "serialNumber": "777777777777777777777777777"
*           }
*         ]
*       }
*     ]
*   }
* }

* ------------------------------------------------------------------------------------------
* OK... now let's change the AlgorithmId to "pbes2" 

loPfx.AlgorithmId = "pbes2"

* We already know from above that the PBES2 crypt and HMAC algorithms are "aes256-cbc" and "hmacWithSha256".
* Let's set them anyway just for the example...
loPfx.Pbes2CryptAlg = "aes256-cbc"
loPfx.Pbes2HmacAlg = "hmacWithSha256"

* Rewrite the PFX using pbes2/aes256 + sha256
lnSuccess = loPfx.ToFile("secret","qa_output/test_secret_aes256.pfx")
IF (lnSuccess = 0) THEN
    ? loPfx.LastErrorText
    RELEASE loPfx
    CANCEL
ENDIF

? "Success."

RELEASE loPfx