(Tcl) Set .pfx/.p12 Safe Bag Attributes

Demonstrates how to set safebag attributes in a .pfx/.p12. This example creates a .pfx from a .pem containing a private key and certificates, but also sets PFX safebag attributes before writing the .pfx.

Chilkat Tcl Extension Downloads Chilkat Tcl Extension Downloads

load ./chilkat.dll

# We have a PEM containing one private key, and two certificates:
# The private key is an ECDSA private key.
# The private key is associated with the 1st certificate.
# The 2nd certificate is the issuer of the 1st certificate.

# -----BEGIN PRIVATE KEY-----
# ME0CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEMzAxAgEBBCDgAn4Dal+0iEhIsYBk
# 6SdSR344vyj0suhOIxsjmM19s6AKBggqhkjOPQMBBw==
# -----END PRIVATE KEY-----
# -----BEGIN CERTIFICATE-----
# MIIBXzCCAQSgAwIBAgIUGp2obfF61BG7QTsqpyT+VvxxJC0wCgYIKoZIzj0EAwIw
# DTELMAkGA1UEAwwCQ0EwHhcNMjAwMzI5MTU1MTEwWhcNMzAwMzI3MTU1MTEwWjAN
# MQswCQYDVQQDDAJFRTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEil+DhBUss8
# kMCjEWvZHA+jdy1mQ76a2HFd+5p+AcFGQxNeG8/HXZax7FFzcrczWrli25R8P8j1
# cqhwPY4HtwujQjBAMB0GA1UdDgQWBBTenwm6x4A4W5BzZ2OckKA2IFtPSTAfBgNV
# HSMEGDAWgBTx1U/gWiRhAASl6FV04DxP3XmcazAKBggqhkjOPQQDAgNJADBGAiEA
# rkqbz5t1M/CjqXSKE5ebBLQ3npF+q7GRC8C2ovDi/xoCIQDGve7OP/ppIDcCNonr
# +WSRf5M/6Wvw1lnEsAXf3nLTeQ==
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# MIIBcDCCARWgAwIBAgIUAnQiKKy/PdLnH0A6vYKBq21w1JAwCgYIKoZIzj0EAwIw
# DTELMAkGA1UEAwwCQ0EwHhcNMjAwMzI5MTU1MTEwWhcNMzAwMzI3MTU1MTEwWjAN
# MQswCQYDVQQDDAJDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPB6yVvqt8cL
# EneRtnjoi87H0ATi+JP1w2qkz4GLOaPtFxAnV0LdQCuN91SGbAlKrSkhFyWWimjh
# Rqe9+b/1WCijUzBRMB0GA1UdDgQWBBTx1U/gWiRhAASl6FV04DxP3XmcazAfBgNV
# HSMEGDAWgBTx1U/gWiRhAASl6FV04DxP3XmcazAPBgNVHRMBAf8EBTADAQH/MAoG
# CCqGSM49BAMCA0kAMEYCIQCcIfssfrOruVYvqhxbLGeyc5ppEX53zUU35wIE2t7C
# fAIhAKhOTEvN+pdEn+cNwW3AEi7D08ZUQx3P80i4EnFPs0OQ
# -----END CERTIFICATE-----

set pfx [new_CkPfx]

set sbPem [new_CkStringBuilder]

set success [CkStringBuilder_LoadFile $sbPem "qa_data/pfx/test_ecdsa.pem" "utf-8"]
if {$success == 0} then {
    puts "Failed to load the PEM file."
    delete_CkPfx $pfx
    delete_CkStringBuilder $sbPem
    exit
}

# The PEM in this example is unencrypted.  There is no password.
set password ""
set success [CkPfx_LoadPem $pfx [CkStringBuilder_getAsString $sbPem] $password]
if {$success == 0} then {
    puts [CkPfx_lastErrorText $pfx]
    delete_CkPfx $pfx
    delete_CkStringBuilder $sbPem
    exit
}

# Let's add some safebag attributes for the private key...
set forPrivateKey 1
set keyIdx 0
set success [CkPfx_SetSafeBagAttr $pfx $forPrivateKey $keyIdx "localKeyId" "16777216" "decimal"]
if {$success == 0} then {
    puts [CkPfx_lastErrorText $pfx]
    delete_CkPfx $pfx
    delete_CkStringBuilder $sbPem
    exit
}

set success [CkPfx_SetSafeBagAttr $pfx $forPrivateKey $keyIdx "keyContainerName" "{B99EB9E7-6AF7-42AF-A43A-D4B2225B7605}" "ascii"]
if {$success == 0} then {
    puts [CkPfx_lastErrorText $pfx]
    delete_CkPfx $pfx
    delete_CkStringBuilder $sbPem
    exit
}

set success [CkPfx_SetSafeBagAttr $pfx $forPrivateKey $keyIdx "storageProvider" "Microsoft Software Key Storage Provider" "ascii"]
if {$success == 0} then {
    puts [CkPfx_lastErrorText $pfx]
    delete_CkPfx $pfx
    delete_CkStringBuilder $sbPem
    exit
}

# Add the localKeyId safebag attribute to the 1st certificate.
set forPrivateKey 0
set certIdx 0
set success [CkPfx_SetSafeBagAttr $pfx $forPrivateKey $certIdx "localKeyId" "16777216" "decimal"]
if {$success == 0} then {
    puts [CkPfx_lastErrorText $pfx]
    delete_CkPfx $pfx
    delete_CkStringBuilder $sbPem
    exit
}

# Write the pfx.
set success [CkPfx_ToFile $pfx "secret" "qa_output/ee.pfx"]
if {$success == 0} then {
    puts [CkPfx_lastErrorText $pfx]
    delete_CkPfx $pfx
    delete_CkStringBuilder $sbPem
    exit
}

# Let's load the .pfx we just wrote to see if the safebag attributes exist.
set pfx2 [new_CkPfx]

set success [CkPfx_LoadPfxFile $pfx2 "qa_output/ee.pfx" "secret"]
if {$success == 0} then {
    puts [CkPfx_lastErrorText $pfx2]
    delete_CkPfx $pfx
    delete_CkStringBuilder $sbPem
    delete_CkPfx $pfx2
    exit
}

# After calling LoadPfxFile, the LastJsonData shows what's in the loaded PFX.
# json is a CkJsonObject
set json [CkPfx_LastJsonData $pfx2]
CkJsonObject_put_EmitCompact $json 0
puts [CkJsonObject_emit $json]
delete_CkJsonObject $json

# The LastJsonData shows what's in the PFX just loaded:

# {
#   "authenticatedSafe": {
#     "contentInfo": [
#       {
#         "type": "Data",
#         "safeBag": [
#           {
#             "type": "pkcs8ShroudedKeyBag",
#             "attrs": {
#               "keyContainerName": "{B99EB9E7-6AF7-42AF-A43A-D4B2225B7605}",
#               "msStorageProvider": "Microsoft Software Key Storage Provider",
#               "localKeyId": "16777216"
#             }
#           }
#         ]
#       },
#       {
#         "type": "EncryptedData",
#         "safeBag": [
#           {
#             "type": "certBag",
#             "attrs": {
#               "localKeyId": "16777216"
#             },
#             "subject": "EE",
#             "serialNumber": "1a9da86df17ad411bb413b2aa724fe56fc71242d"
#           },
#           {
#             "type": "certBag",
#             "subject": "CA",
#             "serialNumber": "02742228acbf3dd2e71f403abd8281ab6d70d490"
#           }
#         ]
#       }
#     ]
#   }
# }

delete_CkPfx $pfx
delete_CkStringBuilder $sbPem
delete_CkPfx $pfx2