(VB.NET) Rewrite PFX using AES256-SHA256

Demonstrates how to load a .pfx/.p12, examine the encryption algorithm used, and rewrite using aes256-sha256.

Note: This example requires Chilkat v9.5.0.83 or greater.

Chilkat .NET Downloads Chilkat .NET Framework Chilkat for .NET Core

' This example requires Chilkat v9.5.0.83 or greater.

Dim pfx As New Chilkat.Pfx

' Let's load a .pfx and examine the encryption algorithms used to protect the private key:
Dim success As Boolean = pfx.LoadPfxFile("qa_data/pfx/test_secret.pfx","secret")
If (success = False) Then
    Debug.WriteLine(pfx.LastErrorText)
    Exit Sub
End If


' Examine the algorithms:

' "pbeWithSHAAnd3_KeyTripleDES_CBC" or "pbes2"?
Debug.WriteLine("Algorithm: " & pfx.AlgorithmId)

' If the algorithm is "pbes2" then examine the actual encryption and HMAC algorithms used within pbes2.
' (If the algorithm is NOT "pbes2", then the following properties are meaningless and will not be modified from their previous values prior to loading the PFX.)
Debug.WriteLine("Pbes2CryptAlg: " & pfx.Pbes2CryptAlg)
Debug.WriteLine("Pbes2HmacAlg: " & pfx.Pbes2HmacAlg)

' Our output so far:

' Algorithm: pbeWithSHAAnd3_KeyTripleDES_CBC
' Pbes2CryptAlg: aes256-cbc
' Pbes2HmacAlg: hmacWithSha256

' This tells us that the PFX we loaded was protected using triple-DES with SHA1.
' (Most existing .pfx/.p12 files use 3DES w/ SHA1.)
' The Pbes2CryptAlg and Pbes2HmacAlg properties do not apply here because the AlgorithmId is not equal to "pbes2".  We can ignore those values.


' Examine the LastJsonData for the call to LoadPfxFile.  This gives us information about what is contained in the PFX, including extended attributes.
Dim json As Chilkat.JsonObject = pfx.LastJsonData()
json.EmitCompact = False
Debug.WriteLine(json.Emit())



' Here's a sample LastJsonData:

' Use this online tool to generate parsing code from sample JSON: 
' Generate Parsing Code from JSON

' {
'   "authenticatedSafe": {
'     "contentInfo": [
'       {
'         "type": "Data",
'         "safeBag": [
'           {
'             "type": "pkcs8ShroudedKeyBag",
'             "attrs": {
'               "localKeyId": "16444216",
'               "keyContainerName": "{F09B755A-1E90-444D-9851-02B86CA14961}",
'               "msStorageProvider": "Microsoft Enhanced Cryptographic Provider v1.0"
'             }
'           }
'         ]
'       },
'       {
'         "type": "EncryptedData",
'         "safeBag": [
'           {
'             "type": "certBag",
'             "attrs": {
'               "localKeyId": "16444216"
'             },
'             "subject": "....",
'             "serialNumber": "9999999999999999999999999999"
'           },
'           {
'             "type": "certBag",
'             "attrs": {
'               "authRootSha256Hash": "0vkOXTXKxNQffUTOZq/4heGBX7M5GFhTqH5mwFyb7x4=",
'               "friendlyName": "XYZ",
'               "enhKeyUsage": [
'                 {
'                   "oid": "1.3.6.1.5.5.7.3.2",
'                   "usage": "clientAuth"
'                 },
'                 {
'                   "oid": "1.3.6.1.5.5.7.3.4",
'                   "usage": "emailProtection"
'                 },
'                 {
'                   "oid": "1.3.6.1.5.5.7.3.3",
'                   "usage": "codeSigning"
'                 },
'                 {
'                   "oid": "1.3.6.1.5.5.7.3.8",
'                   "usage": "timeStamping"
'                 },
'                 {
'                   "oid": "1.3.6.1.4.1.311.10.3.4",
'                   "usage": "encryptedFileSystem"
'                 },
'                 {
'                   "oid": "1.3.6.1.5.5.8.2.2",
'                   "usage": "iKEIntermediate"
'                 },
' 
'                 {
'                   "oid": "1.3.6.1.5.5.7.3.6",
'                   "usage": "ipsecTunnel"
'                 },
'                 {
'                   "oid": "1.3.6.1.5.5.7.3.7",
'                   "usage": "ipsecUser"
'                 },
'                 {
'                   "oid": "1.3.6.1.5.5.7.3.5",
'                   "usage": "ipsecEndSystem"
'                 }
'               ]
'             },
'             "subject": "...",
'             "serialNumber": "8888888888888888888888888888"
'           },
'           {
'             "type": "certBag",
'             "subject": "...",
'             "serialNumber": "777777777777777777777777777"
'           }
'         ]
'       }
'     ]
'   }
' }

' ------------------------------------------------------------------------------------------
' OK... now let's change the AlgorithmId to "pbes2" 

pfx.AlgorithmId = "pbes2"

' We already know from above that the PBES2 crypt and HMAC algorithms are "aes256-cbc" and "hmacWithSha256".
' Let's set them anyway just for the example...
pfx.Pbes2CryptAlg = "aes256-cbc"
pfx.Pbes2HmacAlg = "hmacWithSha256"

' Rewrite the PFX using pbes2/aes256 + sha256
success = pfx.ToFile("secret","qa_output/test_secret_aes256.pfx")
If (success = False) Then
    Debug.WriteLine(pfx.LastErrorText)
    Exit Sub
End If


Debug.WriteLine("Success.")