Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

Try to value useful qualities in one who loves you.

sci / sci.crypt / Re: Apple Keychain's GAY ASS incompatibility with AES encrypted PKCS-12 files

SubjectAuthor
* Apple Keychain's GAY ASS incompatibility with AES encrypted PKCS-12 filesAnonymous
`- Re: Apple Keychain's GAY ASS incompatibility with AES encrypted PKCS-12 filesAnonymous

1
Subject: Apple Keychain's GAY ASS incompatibility with AES encrypted PKCS-12 files
From: Anonymous
Newsgroups: alt.comp.os.windows-11, comp.misc, misc.phone.mobile.iphone, sci.crypt
Organization: Mixmin
Date: Wed, 3 Apr 2024 09:26 UTC
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!news.mixmin.net!.POSTED!not-for-mail
From: none@example.net (Anonymous)
Newsgroups: alt.comp.os.windows-11,comp.misc,misc.phone.mobile.iphone,sci.crypt
Subject: Apple Keychain's GAY ASS incompatibility with AES encrypted PKCS-12
files
Date: Wed, 3 Apr 2024 05:26:58 -0400
Organization: Mixmin
Message-ID: <uuj7d2$1sp3n$1@news.mixmin.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 3 Apr 2024 09:26:59 -0000 (UTC)
Injection-Info: news.mixmin.net; posting-host="c4af4a3027e8317d29ea238d8aa6bb2f616aa3fc";
logging-data="1991799"; mail-complaints-to="abuse@mixmin.net"
User-Agent: Mozilla Thunderbird
Content-Language: en-US
View all headers

I have an S/MIME certificate with a private key, exported from Windows 11
that I need to import into Outlook for iOS. I select AES256-SHA256, and
this is how it's encrypted in the PFX file upon export, according to
OpenSSL:

MAC: sha256, Iteration 2000
MAC length: 32, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256

So as per Microsoft's documentation for Outlook for iOS, I emailed the PFX
file to myself. Outlook uses Apple's Keychain functionality, and Keychain
can't decrypt the PFX file. It doesn't even give a proper error message,
just that the password is "incorrect". This occurs on macOS as well.

The only way around this problem is to choose 'TripleDES-SHA1' instead of
'AES256-SHA256' when exporting from Windows:

MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000

But if I'm not mistaken, Triple DES is deprecated, currently disallowed by
NIST, and is considered to be some WEAK ASS SHIT. Also, when encrypting
PKCS-12 files, OpenSSL 3.x.x defaults to AES256 and SHA256.

So what the hell am I supposed to do? Set up my own mail server with TLS to
send one lousy file, or send it through my Google account and pray that the
god damn glow-in-the-darks don't vacuum it up?

Maybe Apple should fix this?

Subject: Re: Apple Keychain's GAY ASS incompatibility with AES encrypted PKCS-12 files
From: Anonymous
Newsgroups: alt.comp.os.windows-11, comp.misc, misc.phone.mobile.iphone, sci.crypt
Organization: Mixmin
Date: Thu, 25 Jul 2024 06:40 UTC
References: 1
Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!news.mixmin.net!.POSTED!not-for-mail
From: none@example.net (Anonymous)
Newsgroups: alt.comp.os.windows-11,comp.misc,misc.phone.mobile.iphone,sci.crypt
Subject: Re: Apple Keychain's GAY ASS incompatibility with AES encrypted
PKCS-12 files
Date: Thu, 25 Jul 2024 02:40:45 -0400
Organization: Mixmin
Message-ID: <v7ss1d$2p0em$1@news.mixmin.net>
References: <uuj7d2$1sp3n$1@news.mixmin.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 25 Jul 2024 06:40:46 -0000 (UTC)
Injection-Info: news.mixmin.net; posting-host="c4af4a3027e8317d29ea238d8aa6bb2f616aa3fc";
logging-data="2916822"; mail-complaints-to="abuse@mixmin.net"
User-Agent: Mozilla Thunderbird
Content-Language: en-US
In-Reply-To: <uuj7d2$1sp3n$1@news.mixmin.net>
View all headers

On 4/3/24 5:26 AM, Anonymous wrote:
> I have an S/MIME certificate with a private key, exported from Windows 11
> that I need to import into Outlook for iOS. I select AES256-SHA256, and
> this is how it's encrypted in the PFX file upon export, according to
> OpenSSL:
>
> MAC: sha256, Iteration 2000
> MAC length: 32, salt length: 20
> PKCS7 Data
> Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256
> PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF
> hmacWithSHA256
>
> So as per Microsoft's documentation for Outlook for iOS, I emailed the PFX
> file to myself. Outlook uses Apple's Keychain functionality, and Keychain
> can't decrypt the PFX file. It doesn't even give a proper error message,
> just that the password is "incorrect". This occurs on macOS as well.
>
> The only way around this problem is to choose 'TripleDES-SHA1' instead of
> 'AES256-SHA256' when exporting from Windows:
>
> MAC: sha1, Iteration 2000
> MAC length: 20, salt length: 20
> PKCS7 Data
> Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
> PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
>
> But if I'm not mistaken, Triple DES is deprecated, currently disallowed by
> NIST, and is considered to be some WEAK ASS SHIT. Also, when encrypting
> PKCS-12 files, OpenSSL 3.x.x defaults to AES256 and SHA256.
>
> So what the hell am I supposed to do? Set up my own mail server with TLS to
> send one lousy file, or send it through my Google account and pray that the
> god damn glow-in-the-darks don't vacuum it up?
>
> Maybe Apple should fix this?

This is fixed as of the macOS 15.0 (Sequoia) and iOS 18.0 betas. Thanks
to whoever did so.

1

rocksolid light 0.9.8
clearnet tor