(PowerBuilder) Rewrite PFX using AES256-SHA256

Demonstrates how to load a .pfx/.p12, examine the encryption algorithm used, and rewrite using aes256-sha256.

Note: This example requires Chilkat v9.5.0.83 or greater.

Chilkat ActiveX Downloads ActiveX for 32-bit and 64-bit Windows

integer li_rc
oleobject loo_Pfx
integer li_Success
oleobject loo_Json

// This example requires Chilkat v9.5.0.83 or greater.

loo_Pfx = create oleobject
// Use "Chilkat_9_5_0.Pfx" for versions of Chilkat < 10.0.0
li_rc = loo_Pfx.ConnectToNewObject("Chilkat.Pfx")
if li_rc < 0 then
    destroy loo_Pfx
    MessageBox("Error","Connecting to COM object failed")
    return
end if

// Let's load a .pfx and examine the encryption algorithms used to protect the private key:
li_Success = loo_Pfx.LoadPfxFile("qa_data/pfx/test_secret.pfx","secret")
if li_Success = 0 then
    Write-Debug loo_Pfx.LastErrorText
    destroy loo_Pfx
    return
end if

// Examine the algorithms:

// "pbeWithSHAAnd3_KeyTripleDES_CBC" or "pbes2"?
Write-Debug "Algorithm: " + loo_Pfx.AlgorithmId

// If the algorithm is "pbes2" then examine the actual encryption and HMAC algorithms used within pbes2.
// (If the algorithm is NOT "pbes2", then the following properties are meaningless and will not be modified from their previous values prior to loading the PFX.)
Write-Debug "Pbes2CryptAlg: " + loo_Pfx.Pbes2CryptAlg
Write-Debug "Pbes2HmacAlg: " + loo_Pfx.Pbes2HmacAlg

// Our output so far:

// Algorithm: pbeWithSHAAnd3_KeyTripleDES_CBC
// Pbes2CryptAlg: aes256-cbc
// Pbes2HmacAlg: hmacWithSha256

// This tells us that the PFX we loaded was protected using triple-DES with SHA1.
// (Most existing .pfx/.p12 files use 3DES w/ SHA1.)
// The Pbes2CryptAlg and Pbes2HmacAlg properties do not apply here because the AlgorithmId is not equal to "pbes2".  We can ignore those values.

// Examine the LastJsonData for the call to LoadPfxFile.  This gives us information about what is contained in the PFX, including extended attributes.
loo_Json = loo_Pfx.LastJsonData()
loo_Json.EmitCompact = 0
Write-Debug loo_Json.Emit()

destroy loo_Json

// Here's a sample LastJsonData:

// Use this online tool to generate parsing code from sample JSON: 
// Generate Parsing Code from JSON

// {
//   "authenticatedSafe": {
//     "contentInfo": [
//       {
//         "type": "Data",
//         "safeBag": [
//           {
//             "type": "pkcs8ShroudedKeyBag",
//             "attrs": {
//               "localKeyId": "16444216",
//               "keyContainerName": "{F09B755A-1E90-444D-9851-02B86CA14961}",
//               "msStorageProvider": "Microsoft Enhanced Cryptographic Provider v1.0"
//             }
//           }
//         ]
//       },
//       {
//         "type": "EncryptedData",
//         "safeBag": [
//           {
//             "type": "certBag",
//             "attrs": {
//               "localKeyId": "16444216"
//             },
//             "subject": "....",
//             "serialNumber": "9999999999999999999999999999"
//           },
//           {
//             "type": "certBag",
//             "attrs": {
//               "authRootSha256Hash": "0vkOXTXKxNQffUTOZq/4heGBX7M5GFhTqH5mwFyb7x4=",
//               "friendlyName": "XYZ",
//               "enhKeyUsage": [
//                 {
//                   "oid": "1.3.6.1.5.5.7.3.2",
//                   "usage": "clientAuth"
//                 },
//                 {
//                   "oid": "1.3.6.1.5.5.7.3.4",
//                   "usage": "emailProtection"
//                 },
//                 {
//                   "oid": "1.3.6.1.5.5.7.3.3",
//                   "usage": "codeSigning"
//                 },
//                 {
//                   "oid": "1.3.6.1.5.5.7.3.8",
//                   "usage": "timeStamping"
//                 },
//                 {
//                   "oid": "1.3.6.1.4.1.311.10.3.4",
//                   "usage": "encryptedFileSystem"
//                 },
//                 {
//                   "oid": "1.3.6.1.5.5.8.2.2",
//                   "usage": "iKEIntermediate"
//                 },
// 
//                 {
//                   "oid": "1.3.6.1.5.5.7.3.6",
//                   "usage": "ipsecTunnel"
//                 },
//                 {
//                   "oid": "1.3.6.1.5.5.7.3.7",
//                   "usage": "ipsecUser"
//                 },
//                 {
//                   "oid": "1.3.6.1.5.5.7.3.5",
//                   "usage": "ipsecEndSystem"
//                 }
//               ]
//             },
//             "subject": "...",
//             "serialNumber": "8888888888888888888888888888"
//           },
//           {
//             "type": "certBag",
//             "subject": "...",
//             "serialNumber": "777777777777777777777777777"
//           }
//         ]
//       }
//     ]
//   }
// }

// ------------------------------------------------------------------------------------------
// OK... now let's change the AlgorithmId to "pbes2" 

loo_Pfx.AlgorithmId = "pbes2"

// We already know from above that the PBES2 crypt and HMAC algorithms are "aes256-cbc" and "hmacWithSha256".
// Let's set them anyway just for the example...
loo_Pfx.Pbes2CryptAlg = "aes256-cbc"
loo_Pfx.Pbes2HmacAlg = "hmacWithSha256"

// Rewrite the PFX using pbes2/aes256 + sha256
li_Success = loo_Pfx.ToFile("secret","qa_output/test_secret_aes256.pfx")
if li_Success = 0 then
    Write-Debug loo_Pfx.LastErrorText
    destroy loo_Pfx
    return
end if

Write-Debug "Success."


destroy loo_Pfx