-
Notifications
You must be signed in to change notification settings - Fork 7.3k
crypto.createCredentials PKCS12 not works #4050
Comments
That's because the context doesn't have any enumerable properties, it's glue for a C++ object. What exactly is the problem? |
PKCS12 is password protected container format for other certificates. This operation should resolve from PKCS12 to DER format. Following code writen in PHP and has same operation. <?php
$credentials = array();
$p12 = file_get_contents("privatekey.p12");
$password = 'notasecret';
openssl_pkcs12_read($p12, $credentials, $password);
print_r($credentials); Result:
|
Are you saying that you expect |
I don't know. It is assumed that the operation. There isn't any use case about PKCS12 input on the documentation. There are definitions only on the documentations. http://nodejs.org/api/crypto.html#crypto_crypto_createcredentials_details
Also I found this: |
Sorry, I'm going to close this issue. We're down five messages and I'm still not sure what the question is. |
There is a bug or documentation miss. Documentation says There are definitions about PKCS12 on documentation but there aren't any use case about this functionality. Actually I guess it because PKCS12 is password protected container format for private keys and certificates. I want to documentation improvement if I use wrong this function. Can you to check it? Is it bug? Is it documentation miss? |
Okay, I think I'm following this time.
PKCS12 support in node.js is mostly restricted to the ability to load PFX files which can then be used to set up a TLS server or connection. It's possible to add functionality that lets you extract the key and certificates in PEM format but you'd have to convince me of the why first. If you tell me what parts of the documentation are unclear and why, I'll update them. |
After I have looked But I think this detail may be on this page: http://nodejs.org/api/crypto.html#crypto_crypto_createcredentials_details
It's required for me when i want to make Google Service API client. Google API console provides me PKCS12 certificate for service-service authorization. I should extract PEM private key inside from PKCS12 to signing JWT request in runtime. You can see about information this pages: Also I added part of Official Google PHP API Client's jwt signer: <?php
/*
* Copyright 2011 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* Signs data.
*
* @author Brian Eaton <[email protected]>
*/
abstract class Google_Signer {
/**
* Signs data, returns the signature as binary data.
*/
abstract public function sign($data);
}
/**
* Signs data.
*
* Only used for testing.
*
* @author Brian Eaton <[email protected]>
*/
class Google_P12Signer extends Google_Signer {
// OpenSSL private key resource
private $privateKey;
// Creates a new signer from a .p12 file.
function __construct($p12, $password) {
if (!function_exists('openssl_x509_read')) {
throw new Exception(
'The Google PHP API library needs the openssl PHP extension');
}
// This throws on error
$certs = array();
if (!openssl_pkcs12_read($p12, $certs, $password)) {
throw new Google_AuthException("Unable to parse the p12 file. " .
"Is this a .p12 file? Is the password correct? OpenSSL error: " .
openssl_error_string());
}
// TODO(beaton): is this part of the contract for the openssl_pkcs12_read
// method? What happens if there are multiple private keys? Do we care?
if (!array_key_exists("pkey", $certs) || !$certs["pkey"]) {
throw new Google_AuthException("No private key found in p12 file.");
}
$this->privateKey = openssl_pkey_get_private($certs["pkey"]);
if (!$this->privateKey) {
throw new Google_AuthException("Unable to load private key in ");
}
}
function __destruct() {
if ($this->privateKey) {
openssl_pkey_free($this->privateKey);
}
}
function sign($data) {
if (!openssl_sign($data, $signature, $this->privateKey, "sha256")) {
throw new Google_AuthException("Unable to sign data");
}
return $signature;
}
} |
Okay, reopening the issue. |
@threedot did you get this to work towards the Google API? I am constantly getting an { "error" : "invalid_grant" } it would be great if you could share your code. |
bump, would also like to know how this ended |
See #4070. The short answer is 'not fixed.' |
@MarkNijhof I wrote a simple JWT Encode/Decode App that's compatible with the Google API. It doesn't use the PKCS12 from Google, but instead I've extracted the Public/Private PEM files from the keystore. You can take a look at the code here: All of Google's API Client libraries just extract the private key from the PKCS12 keystore to sign the JWT
|
Anyone aware of plans to resolve this? Would be really useful when signing a piece of data using the PEM key within a p12 cert. |
Until node provides what's needed here, forge could be used as an alternative: https://github.com/digitalbazaar/forge#pkcs12 |
@dlongley, how can forge be used to extract a certificate from a pkcs12 archive? |
@fabiob, I updated the README to show how to get access to a certificate from a safe bag in a pkcs12 archive. But I'll just copy and paste the example here quickly: // decode p12 from base64
var p12Der = forge.util.decode64(p12b64);
// get p12 as ASN.1 object
var p12Asn1 = forge.asn1.fromDer(p12Der);
// decrypt p12
var p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, 'password');
// p12.safeContents is an array of safe contents, each of
// which contains an array of safeBags, you can iterate over these
// to find what you want or use the getBags() API below
// get bags by type
var bags = pkcs12.getBags({bagType: forge.pki.oids.certBag});
// each bag as a 'cert' property with the certificate object
var cert = bags[0].cert;
// if you had fetched key bags instead, you can use the 'key' property
// to get the key
// get bags by friendlyName and filter on bag type
var bags = pkcs12.getBags({
friendlyName: 'test',
bagType: forge.pki.oids.certBag
}); Once retrieved from the pkcs12 archive, the |
@indutny do you know if is this resolved in v0.12? |
Does not appear to have ever landed. Marking as a feature request. |
@indutny @bnoordhuis ... any updates on this one? |
What is the profit of doing it in core? PKCS12 is pretty fully described in https://tools.ietf.org/html/rfc7292, and can be parsed using pure javascript ASN.1 parser (moment of self-promotion: https://github.com/indutny/asn1.js ). Do I miss something? |
@indutny ... I definitely don't disagree. I'm inclined to close this one. If someone wishes to pursue this further, http://github.com/nodejs/node would be the right place to discuss it. |
crypto.createCredentials()
don't resolve PKCS12 to PEM pkey and cert.I'm trying to use Google's service API with node.js. But I should use oauth to authorize with p12. Following code don't resolve p12 to der format.
output:
I could resolve p12 with openssl toolkit or php to der format. I'm trying to use der format for signer.
The text was updated successfully, but these errors were encountered: