Apple Keychain's GAY ASS incompatibility with AES encrypted PKCS-12 files
From
Anonymous@none@example.net to
alt.comp.os.windows-11,comp.misc,misc.phone.mobile.iphone,sci.crypt on Wed Apr 3 05:26:58 2024
From Newsgroup: comp.misc
I have an S/MIME certificate with a private key, exported from Windows 11
that I need to import into Outlook for iOS. I select AES256-SHA256, and
this is how it's encrypted in the PFX file upon export, according to
OpenSSL:
MAC: sha256, Iteration 2000
MAC length: 32, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256 PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256
So as per Microsoft's documentation for Outlook for iOS, I emailed the PFX
file to myself. Outlook uses Apple's Keychain functionality, and Keychain
can't decrypt the PFX file. It doesn't even give a proper error message,
just that the password is "incorrect". This occurs on macOS as well.
The only way around this problem is to choose 'TripleDES-SHA1' instead of 'AES256-SHA256' when exporting from Windows:
MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
But if I'm not mistaken, Triple DES is deprecated, currently disallowed by NIST, and is considered to be some WEAK ASS SHIT. Also, when encrypting
PKCS-12 files, OpenSSL 3.x.x defaults to AES256 and SHA256.
So what the hell am I supposed to do? Set up my own mail server with TLS to send one lousy file, or send it through my Google account and pray that the
god damn glow-in-the-darks don't vacuum it up?
Maybe Apple should fix this?
--- Synchronet 3.20a-Linux NewsLink 1.114