1. Forum
  2. Usenet
  3. COMP.MISC

  • Apple Keychain's GAY ASS incompatibility with AES encrypted PKCS-12 fil

    From Anonymous@21:1/5 to All on Wed Apr 3 05:26:58 2024
    XPost: alt.comp.os.windows-11, misc.phone.mobile.iphone, sci.crypt

    I have an S/MIME certificate with a private key, exported from Windows 11
    that I need to import into Outlook for iOS. I select AES256-SHA256, and
    this is how it's encrypted in the PFX file upon export, according to
    OpenSSL:

    MAC: sha256, Iteration 2000
    MAC length: 32, salt length: 20
    PKCS7 Data
    Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256 PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256

    So as per Microsoft's documentation for Outlook for iOS, I emailed the PFX
    file to myself. Outlook uses Apple's Keychain functionality, and Keychain
    can't decrypt the PFX file. It doesn't even give a proper error message,
    just that the password is "incorrect". This occurs on macOS as well.

    The only way around this problem is to choose 'TripleDES-SHA1' instead of 'AES256-SHA256' when exporting from Windows:

    MAC: sha1, Iteration 2000
    MAC length: 20, salt length: 20
    PKCS7 Data
    Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
    PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000

    But if I'm not mistaken, Triple DES is deprecated, currently disallowed by NIST, and is considered to be some WEAK ASS SHIT. Also, when encrypting
    PKCS-12 files, OpenSSL 3.x.x defaults to AES256 and SHA256.

    So what the hell am I supposed to do? Set up my own mail server with TLS to send one lousy file, or send it through my Google account and pray that the
    god damn glow-in-the-darks don't vacuum it up?

    Maybe Apple should fix this?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Anonymous@21:1/5 to Anonymous on Thu Jul 25 02:40:45 2024
    XPost: alt.comp.os.windows-11, misc.phone.mobile.iphone, sci.crypt

    On 4/3/24 5:26 AM, Anonymous wrote:
    I have an S/MIME certificate with a private key, exported from Windows 11 that I need to import into Outlook for iOS. I select AES256-SHA256, and
    this is how it's encrypted in the PFX file upon export, according to
    OpenSSL:

    MAC: sha256, Iteration 2000
    MAC length: 32, salt length: 20
    PKCS7 Data
    Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256
    PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256

    So as per Microsoft's documentation for Outlook for iOS, I emailed the PFX file to myself. Outlook uses Apple's Keychain functionality, and Keychain can't decrypt the PFX file. It doesn't even give a proper error message,
    just that the password is "incorrect". This occurs on macOS as well.

    The only way around this problem is to choose 'TripleDES-SHA1' instead of 'AES256-SHA256' when exporting from Windows:

    MAC: sha1, Iteration 2000
    MAC length: 20, salt length: 20
    PKCS7 Data
    Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
    PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000

    But if I'm not mistaken, Triple DES is deprecated, currently disallowed by NIST, and is considered to be some WEAK ASS SHIT. Also, when encrypting PKCS-12 files, OpenSSL 3.x.x defaults to AES256 and SHA256.

    So what the hell am I supposed to do? Set up my own mail server with TLS to send one lousy file, or send it through my Google account and pray that the god damn glow-in-the-darks don't vacuum it up?

    Maybe Apple should fix this?

    This is fixed as of the macOS 15.0 (Sequoia) and iOS 18.0 betas. Thanks
    to whoever did so.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)