razzmatazz 0 Posted June 28, 2023 I'm interested in loading a certificate (with any encryption) and save it with PrivKeyEncTripleDES. The following code: GSSLEAY_LOAD_LEGACY := True; cert := TX509Base.Create(nil); cert.LoadFromP12File('cert.p12',croYes,croYes,'password'); cert.SaveToP12File('save.cert.p12','password',false,PrivKeyEncTripleDES); cert.Free; loads the cert correctly but raises an exception on saving: "3DES key encryption not supported without legacy module". However, GSSLEAY_LOAD_LEGACY is set to TRUE, what means that the legacy mode is in use. Anyway, the problem seems to go further, because any attempt to try and save the file ends in exception: GSSLEAY_LOAD_LEGACY := True; cert := TX509Base.Create(nil); cert.LoadFromP12File('cert.p12',croYes,croYes,'password'); cert.SaveToP12File('save.cert.p12','password'); cert.Free; SaveToP12File raises "error:06800086:asn1 encoding routines::invalid utf8string", and so it does: cert.SaveToFile('save.cert.p12',true,true,false,'password',PrivKeyEncAES256); what looks like nonsense to me as I'm not providing any string that could be causing the utf8 encoding problem. In a nutshell: even if I'm interested in saving PrivKeyEncTripleDES only, I seem to be unable to save any certificate with any encryption. What am I missing? PD: My certs may include utf8 special characters as I'm Spanish, but hopefully this is not a problem for ICS Share this post Link to post
Angus Robertson 577 Posted June 28, 2023 Before I spend any time looking at this, can you reproduce it using PemTools. I know this all works since all my Let's Encrypt p12 files use 3DES so they can be loaded by old versions of Windows, in the SslX509Certs unit: { V8.67 is 3DES available, prefer that so older versions of Windows will load our PFX file } if (ICS_OPENSSL_VERSION_MAJOR < 3) or ICS_OSSL3_LOADED_LEGACY then P12KeyCipher := PrivKeyEncTripleDES Angus Share this post Link to post
razzmatazz 0 Posted June 28, 2023 Thanks for the speedy response, Angus! I'm not familiar to PEM Tools, but I can give it a try. However, suspecting that I was doing anything wrong, yesterday I added a button to PEM Tools: procedure TfrmPemTool1.Button1Click(Sender: TObject); var cert: TX509Base; begin cert := TX509Base.Create(nil); cert.LoadFromFile('cert3.p12',croTry,croTry,'pw'); cert.SaveToP12File('save.cert3.p12','pw',false,PrivKeyEncTripleDES); cert.Free; end; Same result. 😕 "3DES key encryption not supported without legacy module" Is this similar to my manual test on PEM Tools? Share this post Link to post
razzmatazz 0 Posted June 28, 2023 (edited) OK, this is what I did in PEM Tools, just checking with you: Went to "Create certificates" tab Loaded one of mine importing private key I used the "Save PKCS12 cert" button down - exception arose: 'error:0588000D:x509 certificate routines::ASN1 lib' As I couldn't see the encryption anywhere here, I looked for it in a different tab. I found it in the next tab, called "New cert properties". There I selected "Triple DES" Back to the previous tab, I hit the save button: '3DES key encryption not supported without legacy module' With AES256 it came 'Error creating PKCS12 certificate - error:0588000D:x509 certificate routines::ASN1 lib' Does this test help? Thanks A LOT for your help. Edited June 28, 2023 by razzmatazz Share this post Link to post
Angus Robertson 577 Posted June 28, 2023 Do you actually have legacy.dll in the same directory as the other OpenSSL DLLs? PemTool About should say: SSL Version: OpenSSL 3.1.1 30 May 2023 Dir: C:\DelphiComp\ics\Samples\Delphi\SslInternet\libcrypto-3.dll Legacy Provider Loaded OK Compiler: Delphi 11.3 Win32 Angus Share this post Link to post
razzmatazz 0 Posted June 28, 2023 (edited) Thanks, Angus. Yes, I have LEGACY.DLL in the folder. My about window says: PEM Certificate Tool (c) 2003-2022 by François PIETTE V8.70 Oct 20, 2022 TWSocket (c) 1996-2022 Francois Piette V8.70 SSL Version: OpenSSL 3.0.7 1 Nov 2022 Dir: C:\Delphi7\ICS\Samples\Delphi\Ssllnternet\libcrypto-3.dll Legacy Provider Loaded OK Compiler: Delphi 7 Win32 Edited June 28, 2023 by razzmatazz Share this post Link to post
Angus Robertson 577 Posted June 28, 2023 Sorry, no more suggestions, there is no reason to get all those OpenSSL errors. Can PemTool open existing P12/PFX files with a password? My PemTool built last week with Delphi 2007 works fine. I'll test PemTool on Delphi 7, but it won't be for a couple of weeks until I do the final new release. Angus Share this post Link to post