Support not encrypting the certificates in a PKCS#12

bcgit · Jan 28, 2025 · 67f6e1a · 67f6e1a
1 parent 4c60183
commit 67f6e1a
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 6 deletions.
diff --git a/crypto/src/pkcs/Pkcs12Store.cs b/crypto/src/pkcs/Pkcs12Store.cs
@@ -784,7 +784,6 @@ public void Save(Stream stream, char[] password, SecureRandom random)
 
             Asn1EncodableVector certBags = new Asn1EncodableVector(m_keys.Count);
             Pkcs12PbeParams     cParams = new Pkcs12PbeParams(cSalt, MinIterations);
-            AlgorithmIdentifier cAlgId = new AlgorithmIdentifier(certAlgorithm, cParams.ToAsn1Object());
             var doneCerts = new HashSet<X509Certificate>();
 
             for (uint i = reverseCertificates ? (uint)m_keysOrder.Count-1 : 0;
@@ -931,6 +930,7 @@ public void Save(Stream stream, char[] password, SecureRandom random)
             }
             else
             {
+                AlgorithmIdentifier cAlgId = new AlgorithmIdentifier(certAlgorithm, cParams.ToAsn1Object());
                 byte[] certBytes = CryptPbeData(true, cAlgId, password, false, certBagsEncoding);
                 EncryptedData cInfo = new EncryptedData(PkcsObjectIdentifiers.Data, cAlgId, new BerOctetString(certBytes));
                 certsInfo = new ContentInfo(PkcsObjectIdentifiers.EncryptedData, cInfo.ToAsn1Object());

diff --git a/crypto/test/src/pkcs/test/PKCS12StoreTest.cs b/crypto/test/src/pkcs/test/PKCS12StoreTest.cs
@@ -1343,7 +1343,7 @@ private void DoTestSupportedTypes()
             basicStoreTest(privKey, chain,
                 NistObjectIdentifiers.IdAes256Cbc,
                 PkcsObjectIdentifiers.IdHmacWithSha256,
-                PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc);
+                null);
         }
 
 		private void basicStoreTest(AsymmetricKeyEntry privKey, X509CertificateEntry[] chain,
@@ -1454,11 +1454,21 @@ private void basicStoreTest(AsymmetricKeyEntry privKey, X509CertificateEntry[] c
 			}
 
 			// check the certificate encryption
-			EncryptedData cb = EncryptedData.GetInstance(c2.Content);
-
-            if (!cb.EncryptionAlgorithm.Algorithm.Equals(certAlgorithm))
+			if (certAlgorithm == null)
 			{
-				Fail("cert encryption algorithm wrong");
+				if (!c2.ContentType.Equals(PkcsObjectIdentifiers.Data))
+				{
+					Fail("there should be no certificate encryption, but content type is not Data");
+				}
+			}
+			else
+			{
+				EncryptedData cb = EncryptedData.GetInstance(c2.Content);
+
+				if (!cb.EncryptionAlgorithm.Algorithm.Equals(certAlgorithm))
+				{
+					Fail("cert encryption algorithm wrong");
+				}
 			}
 		}