Use of TX509Base.SaveToFile()

[razzmatazz 0]

I'm interested in loading a certificate (with any encryption) and save it with PrivKeyEncTripleDES. The following code:

GSSLEAY_LOAD_LEGACY := True;
cert := TX509Base.Create(nil);
cert.LoadFromP12File('cert.p12',croYes,croYes,'password');
cert.SaveToP12File('save.cert.p12','password',false,PrivKeyEncTripleDES);
cert.Free;

loads the cert correctly but raises an exception on saving: "3DES key encryption not supported without legacy module". However, GSSLEAY_LOAD_LEGACY is set to TRUE, what means that the legacy mode is in use.

 

Anyway, the problem seems to go further, because any attempt to try and save the file ends in exception:

GSSLEAY_LOAD_LEGACY := True;
cert := TX509Base.Create(nil);
cert.LoadFromP12File('cert.p12',croYes,croYes,'password');
cert.SaveToP12File('save.cert.p12','password');
cert.Free;

SaveToP12File raises "error:06800086:asn1 encoding routines::invalid utf8string", and so it does:

cert.SaveToFile('save.cert.p12',true,true,false,'password',PrivKeyEncAES256);

what looks like nonsense to me as I'm not providing any string that could be causing the utf8 encoding problem.

 

In a nutshell: even if I'm interested in saving PrivKeyEncTripleDES only, I seem to be unable to save any certificate with any encryption.

What am I missing?

 

PD: My certs may include utf8 special characters as I'm Spanish, but hopefully this is not a problem for ICS

 

[Angus Robertson 574]

Before I spend any time looking at this, can you reproduce it using PemTools. 

 

I know this all works since all my Let's Encrypt p12 files use 3DES so they can be loaded by old versions of Windows, in the SslX509Certs unit:

 

     { V8.67 is 3DES available, prefer that so older versions of Windows will load our PFX file }
        if (ICS_OPENSSL_VERSION_MAJOR < 3) or ICS_OSSL3_LOADED_LEGACY then
            P12KeyCipher := PrivKeyEncTripleDES

 

Angus

 

[razzmatazz 0]

Thanks for the speedy response, Angus!

 

I'm not familiar to PEM Tools, but I can give it a try. However, suspecting that I was doing anything wrong, yesterday I added a button to PEM Tools:

procedure TfrmPemTool1.Button1Click(Sender: TObject);
var cert: TX509Base;
begin
  cert := TX509Base.Create(nil);
  cert.LoadFromFile('cert3.p12',croTry,croTry,'pw');
  cert.SaveToP12File('save.cert3.p12','pw',false,PrivKeyEncTripleDES);
  cert.Free;
end;

Same result. 😕 "3DES key encryption not supported without legacy module"

 

Is this similar to my manual test on PEM Tools?

[razzmatazz 0]

OK, this is what I did in PEM Tools, just checking with you:

1. Went to "Create certificates" tab
2. Loaded one of mine importing private key
3. I used the "Save PKCS12 cert" button down - exception arose: 'error:0588000D:x509 certificate routines::ASN1 lib'
4. As I couldn't see the encryption anywhere here, I looked for it in a different tab. I found it in the next tab, called "New cert properties". There I selected "Triple DES"
5. Back to the previous tab, I hit the save button: '3DES key encryption not supported without legacy module'
6. With AES256 it came 'Error creating PKCS12 certificate - error:0588000D:x509 certificate routines::ASN1 lib'

Does this test help?

Thanks A LOT for your help.

Edited June 28, 2023 by razzmatazz

[Angus Robertson 574]

Do you actually have legacy.dll in the same directory as the other OpenSSL DLLs?

 

PemTool About should say:

 

SSL Version: OpenSSL 3.1.1 30 May 2023
Dir: C:\DelphiComp\ics\Samples\Delphi\SslInternet\libcrypto-3.dll
Legacy Provider Loaded OK
Compiler: Delphi 11.3 Win32

 

Angus

 

[razzmatazz 0]

Thanks, Angus.

 

Yes, I have LEGACY.DLL in the folder. My about window says:

 

PEM Certificate Tool

(c) 2003-2022 by François PIETTE V8.70 Oct 20, 2022

TWSocket (c) 1996-2022 Francois Piette V8.70

SSL Version: OpenSSL 3.0.7 1 Nov 2022

Dir: C:\Delphi7\ICS\Samples\Delphi\Ssllnternet\libcrypto-3.dll

Legacy Provider Loaded OK

Compiler: Delphi 7 Win32

Edited June 28, 2023 by razzmatazz

[Angus Robertson 574]

Sorry, no more suggestions, there is no reason to get all those OpenSSL errors. 

 

Can PemTool open existing P12/PFX files with a password?  My PemTool built last week with Delphi 2007 works fine. 

 

I'll test PemTool on Delphi 7, but it won't be for a couple of weeks until I do the final new release.

 

Angus