Sample code for 30+ languages & platforms
Java

Rewrite PFX using AES256-SHA256

See more PFX/P12 Examples

Demonstrates how to load a .pfx/.p12, examine the encryption algorithm used, and rewrite using aes256-sha256.

Chilkat Java Downloads

Java
import com.chilkatsoft.*;

public class ChilkatExample {

  static {
    try {
        System.loadLibrary("chilkat");
    } catch (UnsatisfiedLinkError e) {
      System.err.println("Native code library failed to load.\n" + e);
      System.exit(1);
    }
  }

  public static void main(String argv[])
  {
    boolean success = false;

    CkPfx pfx = new CkPfx();

    //  Let's load a .pfx and examine the encryption algorithms used to protect the private key:
    success = pfx.LoadPfxFile("qa_data/pfx/test_secret.pfx","secret");
    if (success == false) {
        System.out.println(pfx.lastErrorText());
        return;
        }

    //  Examine the algorithms:

    //  "pbeWithSHAAnd3_KeyTripleDES_CBC" or "pbes2"?
    System.out.println("Algorithm: " + pfx.algorithmId());

    //  If the algorithm is "pbes2" then examine the actual encryption and HMAC algorithms used within pbes2.
    //  (If the algorithm is NOT "pbes2", then the following properties are meaningless and will not be modified from their previous values prior to loading the PFX.)
    System.out.println("Pbes2CryptAlg: " + pfx.pbes2CryptAlg());
    System.out.println("Pbes2HmacAlg: " + pfx.pbes2HmacAlg());

    //  Our output so far:

    //  Algorithm: pbeWithSHAAnd3_KeyTripleDES_CBC
    //  Pbes2CryptAlg: aes256-cbc
    //  Pbes2HmacAlg: hmacWithSha256

    //  This tells us that the PFX we loaded was protected using triple-DES with SHA1.
    //  (Most existing .pfx/.p12 files use 3DES w/ SHA1.)
    //  The Pbes2CryptAlg and Pbes2HmacAlg properties do not apply here because the AlgorithmId is not equal to "pbes2".  We can ignore those values.

    //  Examine the last JSON data collected in the call to LoadPfxFile.  This gives us information about what is contained in the PFX, including extended attributes.
    CkJsonObject json = new CkJsonObject();
    pfx.GetLastJsonData(json);

    json.put_EmitCompact(false);
    System.out.println(json.emit());

    //  Sample output

    //  Use this online tool to generate parsing code from sample JSON: 
    //  Generate Parsing Code from JSON

    //  {
    //    "authenticatedSafe": {
    //      "contentInfo": [
    //        {
    //          "type": "Data",
    //          "safeBag": [
    //            {
    //              "type": "pkcs8ShroudedKeyBag",
    //              "attrs": {
    //                "localKeyId": "16444216",
    //                "keyContainerName": "{F09B755A-1E90-444D-9851-02B86CA14961}",
    //                "msStorageProvider": "Microsoft Enhanced Cryptographic Provider v1.0"
    //              }
    //            }
    //          ]
    //        },
    //        {
    //          "type": "EncryptedData",
    //          "safeBag": [
    //            {
    //              "type": "certBag",
    //              "attrs": {
    //                "localKeyId": "16444216"
    //              },
    //              "subject": "....",
    //              "serialNumber": "9999999999999999999999999999"
    //            },
    //            {
    //              "type": "certBag",
    //              "attrs": {
    //                "authRootSha256Hash": "0vkOXTXKxNQffUTOZq/4heGBX7M5GFhTqH5mwFyb7x4=",
    //                "friendlyName": "XYZ",
    //                "enhKeyUsage": [
    //                  {
    //                    "oid": "1.3.6.1.5.5.7.3.2",
    //                    "usage": "clientAuth"
    //                  },
    //                  {
    //                    "oid": "1.3.6.1.5.5.7.3.4",
    //                    "usage": "emailProtection"
    //                  },
    //                  {
    //                    "oid": "1.3.6.1.5.5.7.3.3",
    //                    "usage": "codeSigning"
    //                  },
    //                  {
    //                    "oid": "1.3.6.1.5.5.7.3.8",
    //                    "usage": "timeStamping"
    //                  },
    //                  {
    //                    "oid": "1.3.6.1.4.1.311.10.3.4",
    //                    "usage": "encryptedFileSystem"
    //                  },
    //                  {
    //                    "oid": "1.3.6.1.5.5.8.2.2",
    //                    "usage": "iKEIntermediate"
    //                  },
    //  
    //                  {
    //                    "oid": "1.3.6.1.5.5.7.3.6",
    //                    "usage": "ipsecTunnel"
    //                  },
    //                  {
    //                    "oid": "1.3.6.1.5.5.7.3.7",
    //                    "usage": "ipsecUser"
    //                  },
    //                  {
    //                    "oid": "1.3.6.1.5.5.7.3.5",
    //                    "usage": "ipsecEndSystem"
    //                  }
    //                ]
    //              },
    //              "subject": "...",
    //              "serialNumber": "8888888888888888888888888888"
    //            },
    //            {
    //              "type": "certBag",
    //              "subject": "...",
    //              "serialNumber": "777777777777777777777777777"
    //            }
    //          ]
    //        }
    //      ]
    //    }
    //  }

    //  ------------------------------------------------------------------------------------------
    //  OK... now let's change the AlgorithmId to "pbes2" 

    pfx.put_AlgorithmId("pbes2");

    //  We already know from above that the PBES2 crypt and HMAC algorithms are "aes256-cbc" and "hmacWithSha256".
    //  Let's set them anyway just for the example...
    pfx.put_Pbes2CryptAlg("aes256-cbc");
    pfx.put_Pbes2HmacAlg("hmacWithSha256");

    //  Rewrite the PFX using pbes2/aes256 + sha256
    success = pfx.ToFile("secret","qa_output/test_secret_aes256.pfx");
    if (success == false) {
        System.out.println(pfx.lastErrorText());
        return;
        }

    System.out.println("Success.");
  }
}