当尝试将PKCS12证书文件导入Android供Android供OpenVPN Connect应用程序使用时,我会提示我输入密码。这是与此PKCS12文件相关的密码。我继续输入正确的密码,并使用“不正确的密码”消息遇到。
为了确认并非文件有故障,然后我尝试在Windows计算机上安装相同的证书,该证书被接受了相同的密码,并且没有问题就安装了证书。
在运行Android 11 Security Update 2022-02-05的两台不同智能手机上进行了测试。
有人看过这个问题吗?我只能在网上找到类似的问题而没有解决方案。
When trying to import a pkcs12 certificate file into android for use with the openvpn connect app, I am prompted to input a password. This is the password relevant to this pkcs12 file. I proceed to input the correct password and am met with a "incorrect password" message.
To confirm that it is not the file that is faulty, I then tried to install the same certificate on a windows computer, where the same password was accepted and the certificate was installed without issue.
This was tested on two different smartphones running android 11 security update 2022-02-05.
Has anyone seen this issue before? I can only find similar issues online with no resolution.
发布评论
评论(4)
我也有同样的问题。我花了大约一个月的时间来弄清楚。
TL; dr就是这样:
然后使用
lacacy.p12。显然,Android无法导入更新的PKCS12文件。我在Android 12和Android 13上尝试了此操作。
使用
openssl pkcs12 -info在我的情况下,我在原始.p12文件上看到了这一点,该文件是使用Python的Pycryptography PKCS12支持的:并使用
openssl pkcs12 -Info -Info -info -leggacy转换后的.p12文件我看到了:原始文件在转换(传统一个)时未能导入。
I had the same issue. It took me about a month to figure it out.
The tl;dr is this:
Then use
legacy.p12.Apparently Android cannot import newer pkcs12 files. I tried this on Android 12 and Android 13. This is what
man openssl-pkcs12says for-legacy:Using
openssl pkcs12 -infoin my case I see this on the original .p12 file, which was created using Python's PyCryptography PKCS12 support:And using
openssl pkcs12 -info -legacyon the converted .p12 file I see this:The original one fails to import while the converted (legacy one) imports perfectly well.
如果任何人都在与 gnutls certtool ...
tl; dr; dr; dr都应该与Android 9&amp一起使用。 Android 12:
创建PKCS#12文件时的说明
,您必须选择Mac Hash算法(
-ash = XXX)和Cipher算法(-pkcs-cipher = xxxxxx )。从我的测试中,Android支持如下。是 可以在上面看到,Android 9实际上支持SHA256和SHA1作为Mac,但Android 12以某种方式仅支持SHA1。
在certtool中,即使您选择
-pkcs-cipher = 3Des-pkcs12,默认的Mac Hash算法也是SHA256。 ,您必须明确指定- hash = sha1,否则p12文件对Android 12不起作用因此
-Iter指定)。In case anyone is struggling with GnuTLS certtool...
TL;DR this should work with both Android 9 & Android 12:
Explanation
When creating PKCS#12 files, you have to choose MAC hash algorithm (
--hash=xxx) and cipher algorithm (--pkcs-cipher=xxx). From my test, Android support is as below.As can be seen above, Android 9 actually supports both SHA256 and SHA1 as MAC, but Android 12 somehow only supports SHA1.
In certtool, the default MAC hash algorithm is SHA256 even if you choose
--pkcs-cipher=3des-pkcs12. Therefore you have to explicitly specify--hash=SHA1, otherwise the p12 file won't work for Android 12.Other comments
-iter).PKCS12是用于证书和加密密钥的加密容器格式。为了加密包含的数据,存在多个算法。不幸的是,并非所有处理PKCS#12文件的系统都支持所有可能的加密算法。
当通过系统/程序读取PKCS#12文件时,它会遇到一个不支持的加密算法时,您会期待一条错误消息,例如“无法读取文件:未知或未支持的算法”。不幸的是,实际上,大多数实现只是输出通用错误消息“不正确的密码”。
检测使用的加密算法:
检测使用的加密算法执行
在输入密码后
,您将看到PKCS12文件的解码数据,可以通过输出中的某些行看到加密类型。如果您找到类似的行,则使用类似于“旧版”的加密格式,
如果您找到类似的行,则使用类似:第三个甚至较旧的算法,使用通常称为“遗产”加密格式,则使用
最新的加密格式(尚未得到所有程序的支持)。我尚未找到一个示例PKCS#12文件,但应将其作为
pbewithsha1and40bitrc2-cbc输出。将PKCS#12文件转换为旧的加密格式
更改PKCS#12文件使用的加密类型非常复杂,因为您必须提取所有包含的键和证书,并且将所有内容都重新组装成新文件。在此处表示必要的OPENSL命令:
PKCS12 is a encrypted container format for certificates and cryptographic keys. For encrypting the contained data multiple algorithms exists. Unfortunately not all systems processing PKCS#12 files do support all possible encryption algorithms.
When reading a PKCS#12 file by a system/program and it encounters an unsupported cryptographic algorithm you would expect an error message like "unable to read file: unknown or unsupported algorithm". Unfortunately in reality most implementations just output the generic error message "incorrect password".
Detecting the used encryption algorithm:
For detecting the used encryption algorithm execute
After entering the password(s) you will see the decoded data of the PKCS12 file, the encryption type can be seen by certain lines in the output.
The most recent encryption format (that is not yet supported by all programs) is used if you find a line like:
The older often called "legacy" encryption format is used if you find a line like:
A third even older algorithm exists. I have not found an example PKCS#12 file, but it should be output as
pbeWithSHA1And40BitRC2-CBC.Converting a PKCS#12 file to the old encryption format
Changing the encryption type used by a PKCS#12 file is pretty complicated as you have to extract all the contained keys and certificates and the reassemble everything into a new file. The necessary openssl commands are denoted here:
https://help.globalscape.com/help/archive/secureserver3/Converting_an_incompatible_PKCS_12_format_file_to_a_compatible_PKCS_12_.htm
我遇到了这样一个问题,即上述解决方案带有 - 签证选项没有使用我的新电子邮件证书对实际的Ubuntu/openssl工作。
几乎没有其他问题:我有一个.pfx文件不是.p12不知道这是否是与其他结局相同的容器格式?
以下工作流程是成功的:
删除certbag.pem之后!它包含您的私钥,没有加密!
证书在Android 10上无意识地进口。
多亏了上述解决方案和提供的链接!
I ran into the problem that the above solution with -legacy option did not work on an actual ubuntu/openssl with my new email certificate.
Little additional problem: I had a .pfx file not a .p12 not knowing if this is the same container format with other ending?
The following workflow was a succes:
Delete certbag.pem afterwards! It contains your private key without encryption!
Certificate imports now flawlessly on android 10.
Thanks to the above solution and the provided links!