Anonymous
2024-04-03 09:26:58 UTC
I have an S/MIME certificate with a private key, exported from Windows 11
that I need to import into Outlook for iOS. I select AES256-SHA256, and
this is how it's encrypted in the PFX file upon export, according to
OpenSSL:
MAC: sha256, Iteration 2000
MAC length: 32, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256
So as per Microsoft's documentation for Outlook for iOS, I emailed the PFX
file to myself. Outlook uses Apple's Keychain functionality, and Keychain
can't decrypt the PFX file. It doesn't even give a proper error message,
just that the password is "incorrect". This occurs on macOS as well.
The only way around this problem is to choose 'TripleDES-SHA1' instead of
'AES256-SHA256' when exporting from Windows:
MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
But if I'm not mistaken, Triple DES is deprecated, currently disallowed by
NIST, and is considered to be some WEAK ASS SHIT. Also, when encrypting
PKCS-12 files, OpenSSL 3.x.x defaults to AES256 and SHA256.
So what the hell am I supposed to do? Set up my own mail server with TLS to
send one lousy file, or send it through my Google account and pray that the
god damn glow-in-the-darks don't vacuum it up?
Maybe Apple should fix this?
that I need to import into Outlook for iOS. I select AES256-SHA256, and
this is how it's encrypted in the PFX file upon export, according to
OpenSSL:
MAC: sha256, Iteration 2000
MAC length: 32, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2000, PRF hmacWithSHA256
So as per Microsoft's documentation for Outlook for iOS, I emailed the PFX
file to myself. Outlook uses Apple's Keychain functionality, and Keychain
can't decrypt the PFX file. It doesn't even give a proper error message,
just that the password is "incorrect". This occurs on macOS as well.
The only way around this problem is to choose 'TripleDES-SHA1' instead of
'AES256-SHA256' when exporting from Windows:
MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
But if I'm not mistaken, Triple DES is deprecated, currently disallowed by
NIST, and is considered to be some WEAK ASS SHIT. Also, when encrypting
PKCS-12 files, OpenSSL 3.x.x defaults to AES256 and SHA256.
So what the hell am I supposed to do? Set up my own mail server with TLS to
send one lousy file, or send it through my Google account and pray that the
god damn glow-in-the-darks don't vacuum it up?
Maybe Apple should fix this?