Sample code for 30+ languages & platforms
PureBasic

Rewrite PFX using AES256-SHA256

See more PFX/P12 Examples

Demonstrates how to load a .pfx/.p12, examine the encryption algorithm used, and rewrite using aes256-sha256.

Chilkat PureBasic Downloads

PureBasic
IncludeFile "CkPfx.pb"
IncludeFile "CkJsonObject.pb"

Procedure ChilkatExample()

    success.i = 0

    pfx.i = CkPfx::ckCreate()
    If pfx.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    ; Let's load a .pfx and examine the encryption algorithms used to protect the private key:
    success = CkPfx::ckLoadPfxFile(pfx,"qa_data/pfx/test_secret.pfx","secret")
    If success = 0
        Debug CkPfx::ckLastErrorText(pfx)
        CkPfx::ckDispose(pfx)
        ProcedureReturn
    EndIf

    ; Examine the algorithms:

    ; "pbeWithSHAAnd3_KeyTripleDES_CBC" or "pbes2"?
    Debug "Algorithm: " + CkPfx::ckAlgorithmId(pfx)

    ; If the algorithm is "pbes2" then examine the actual encryption and HMAC algorithms used within pbes2.
    ; (If the algorithm is NOT "pbes2", then the following properties are meaningless and will not be modified from their previous values prior to loading the PFX.)
    Debug "Pbes2CryptAlg: " + CkPfx::ckPbes2CryptAlg(pfx)
    Debug "Pbes2HmacAlg: " + CkPfx::ckPbes2HmacAlg(pfx)

    ; Our output so far:

    ; Algorithm: pbeWithSHAAnd3_KeyTripleDES_CBC
    ; Pbes2CryptAlg: aes256-cbc
    ; Pbes2HmacAlg: hmacWithSha256

    ; This tells us that the PFX we loaded was protected using triple-DES with SHA1.
    ; (Most existing .pfx/.p12 files use 3DES w/ SHA1.)
    ; The Pbes2CryptAlg and Pbes2HmacAlg properties do not apply here because the AlgorithmId is not equal to "pbes2".  We can ignore those values.

    ; Examine the last JSON data collected in the call to LoadPfxFile.  This gives us information about what is contained in the PFX, including extended attributes.
    json.i = CkJsonObject::ckCreate()
    If json.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    CkPfx::ckGetLastJsonData(pfx,json)

    CkJsonObject::setCkEmitCompact(json, 0)
    Debug CkJsonObject::ckEmit(json)

    ; Sample output

    ; Use this online tool to generate parsing code from sample JSON: 
    ; Generate Parsing Code from JSON

    ; {
    ;   "authenticatedSafe": {
    ;     "contentInfo": [
    ;       {
    ;         "type": "Data",
    ;         "safeBag": [
    ;           {
    ;             "type": "pkcs8ShroudedKeyBag",
    ;             "attrs": {
    ;               "localKeyId": "16444216",
    ;               "keyContainerName": "{F09B755A-1E90-444D-9851-02B86CA14961}",
    ;               "msStorageProvider": "Microsoft Enhanced Cryptographic Provider v1.0"
    ;             }
    ;           }
    ;         ]
    ;       },
    ;       {
    ;         "type": "EncryptedData",
    ;         "safeBag": [
    ;           {
    ;             "type": "certBag",
    ;             "attrs": {
    ;               "localKeyId": "16444216"
    ;             },
    ;             "subject": "....",
    ;             "serialNumber": "9999999999999999999999999999"
    ;           },
    ;           {
    ;             "type": "certBag",
    ;             "attrs": {
    ;               "authRootSha256Hash": "0vkOXTXKxNQffUTOZq/4heGBX7M5GFhTqH5mwFyb7x4=",
    ;               "friendlyName": "XYZ",
    ;               "enhKeyUsage": [
    ;                 {
    ;                   "oid": "1.3.6.1.5.5.7.3.2",
    ;                   "usage": "clientAuth"
    ;                 },
    ;                 {
    ;                   "oid": "1.3.6.1.5.5.7.3.4",
    ;                   "usage": "emailProtection"
    ;                 },
    ;                 {
    ;                   "oid": "1.3.6.1.5.5.7.3.3",
    ;                   "usage": "codeSigning"
    ;                 },
    ;                 {
    ;                   "oid": "1.3.6.1.5.5.7.3.8",
    ;                   "usage": "timeStamping"
    ;                 },
    ;                 {
    ;                   "oid": "1.3.6.1.4.1.311.10.3.4",
    ;                   "usage": "encryptedFileSystem"
    ;                 },
    ;                 {
    ;                   "oid": "1.3.6.1.5.5.8.2.2",
    ;                   "usage": "iKEIntermediate"
    ;                 },
    ; 
    ;                 {
    ;                   "oid": "1.3.6.1.5.5.7.3.6",
    ;                   "usage": "ipsecTunnel"
    ;                 },
    ;                 {
    ;                   "oid": "1.3.6.1.5.5.7.3.7",
    ;                   "usage": "ipsecUser"
    ;                 },
    ;                 {
    ;                   "oid": "1.3.6.1.5.5.7.3.5",
    ;                   "usage": "ipsecEndSystem"
    ;                 }
    ;               ]
    ;             },
    ;             "subject": "...",
    ;             "serialNumber": "8888888888888888888888888888"
    ;           },
    ;           {
    ;             "type": "certBag",
    ;             "subject": "...",
    ;             "serialNumber": "777777777777777777777777777"
    ;           }
    ;         ]
    ;       }
    ;     ]
    ;   }
    ; }

    ; ------------------------------------------------------------------------------------------
    ; OK... now let's change the AlgorithmId to "pbes2" 

    CkPfx::setCkAlgorithmId(pfx, "pbes2")

    ; We already know from above that the PBES2 crypt and HMAC algorithms are "aes256-cbc" and "hmacWithSha256".
    ; Let's set them anyway just for the example...
    CkPfx::setCkPbes2CryptAlg(pfx, "aes256-cbc")
    CkPfx::setCkPbes2HmacAlg(pfx, "hmacWithSha256")

    ; Rewrite the PFX using pbes2/aes256 + sha256
    success = CkPfx::ckToFile(pfx,"secret","qa_output/test_secret_aes256.pfx")
    If success = 0
        Debug CkPfx::ckLastErrorText(pfx)
        CkPfx::ckDispose(pfx)
        CkJsonObject::ckDispose(json)
        ProcedureReturn
    EndIf

    Debug "Success."


    CkPfx::ckDispose(pfx)
    CkJsonObject::ckDispose(json)


    ProcedureReturn
EndProcedure