Is OpenSSL V3.0.0 compatible with V1.1.1 - ssl

I needed to create a jave keystore and so I downloaded the latest version of openssl but kept getting:
keytool error: java.io.IOException: keystore password was incorrect
As well as windows telling me I had the wrong password if I tried to import the .p12. After hours of trying to get things to work I finally downloaded v1.1.1 and POW things just worked!
Problem solved! but why - why does OpenSSL v3.0.0 not work like v1.1.1?
C:\openssl3> openssl pkcs12 -export -name tomcat -in cert.cer -inkey key -out ks300.p12
C:\openssl3> openssl pkcs12 -info -in ks300.p12
Enter Import Password:
<works fine>
...
</works fine>
C:\openssl3> keytool -list -v -keystore ks300.p12
Enter keystore password:
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
...
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 6 more
then:
C:\openssl1.1.1> openssl pkcs12 -export -name tomcat -in cert.cer -inkey key -out ks111.p12
C:\openssl1.1.1> openssl pkcs12 -info -in ks111.p12
<works fine />
C:\openssl1.1.1> keytool -list -v -keystore ks111.p12
Enter keystore password:
<works fine />
C:\openssl1.1.1> C:\openssl3\openssl pkcs12 -info -in ks111.p12
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
5C200000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
C:\openssl1.1.1>openssl pkcs12 -info -in ks300.p12
<works fine>
Now that last one surprised me as I was collecting the output for this post, but yes the openssl1.1.1 read the openssl3 .p12 file fine but not the other way (openssl3 cannot read the openssl1.1.1 .p12). The keytool and windows kept complaining about the password for the openssl3 .p12 -- but COULD read the v1.1.1 one.
Is there some downward compatibility option I missed.
I seem to be the only person on the internet to run into this issue which usually means that I did something wrong.
some other data points:
C:\> Java --version
openjdk 11.0.2 2019-01-15
OpenJDK Runtime Environment 18.9 (build 11.0.2+9)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+9, mixed mode)
C:\openssl3>openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
C:\openssl1.1.1>openssl version
OpenSSL 1.1.1l 24 Aug 2021

Related

openssl command generates an empty .key file from .pfx file

When I try to generate a key from a pfx certificate file, it creates an empty file
openssl pkcs12 -in test.pfx -nocerts -out test.key -nodes
I executed the command on git bash, Windows server 2019. The command seems to run without stoping because I can't type.
Thanks

Failed to generate apk due to error "error: uncompiled PNG file passed as argument. Must be compiled first into .flat file.."

I'm attempting to generate a signed APK for my react-native project. I've received the error message error: "uncompiled PNG file passed as argument. Must be compiled first into .flat file.."
How do I resolve this issue? I've looked at this question and have also tried adding android.enableAapt2=false to the gradle-wrapper.properties file.
I have also tried manually creating a debug build as instructed here:
Finally, I noticed that there's a key component missing in the rn documentation
The first step is to
keytool -genkey -v -keystore my-release-key.keystore -alias my-key-alias -keyalg RSA -keysize 2048 -validity 10000
However, I did not see anywhere about specifying the location for the my-release-key.keystore file. I was not able to get this to work until I used
keytool -genkey -v -keystore d:\my_private_key.keystore -alias my_key_alias -keyalg RSA -keysize 2048 -validity 10000
android.enableAapt2=false
should be placed inside gradle.properties NOT gradle-wrapper.properties!

Error While Generating .bks file

I am using wso2-emm 2.0.1 with ubuntu x64 system. While configuring the product I am getting one error in genrating .bks file for android agent certificate.
I've used this cmd:
keytool -noprompt -import -v -trustcacerts -alias 'openssl x509 -inform PEM -subject_hash -noout -in ca_cert.pem' -file ca_cert.pem -keystore emm_truststore.bks -storetype BKS -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-jdk16-146.jar -storepass 'wso2carbon'
And the correspoding errror is :
keytool error: java.io.IOException: Wrong version of key store.
java.io.IOException: Wrong version of key store.
at org.bouncycastle.jce.provider.JDKKeyStore.engineLoad(Unknown Source)
Thanks in advance

Manually sign Push Package with openssl for Safari Push Notifications

The documentation says The signature is a PKCS #7 detached signature of the manifest file but how does one do that with openssl?
For Passbook I found these commands:
openssl pkcs12 -passin pass:test -in ./Certificates.p12 -clcerts -nokeys -out ./certificate.pem
openssl pkcs12 -passin pass:test -in ./Certificates.p12 -nocerts -out ./key.pem
openssl smime -passin pass:test -binary -sign -signer ./certificate.pem -inkey ./key.pem -in ./pushPackage.raw/manifest.json -out ./pushPackage.raw/signature xs-outform DER
Also tried with the WWDR certificate:
openssl smime -passin pass:test -binary -sign -certfile ~/Downloads/AppleWWDRCA.cer -signer ./certificate.pem -inkey ./key.pem -in ./pushPackage.raw/manifest.json -out ./pushPackage.raw/signature xs-outform DER
And zip it with:
zip -r ../example.zip . -x '*.DS_Store'
But I still get "Signature verification of push package failed".
I've also encounter such problem. After trying, I figured out the different openssl version will result in different size of signature for the same manifest file.
Originally, I was using openssl 1.0.2, 1.0.3 but with no luck, but after I downgrade my openssl version to 0.9.8zf 19 Mar 2015 then everything works fine, and my safari can recognize the push package (my safari version is 8.0.7 (10600.7.12), MAC OS: 10.10.4(14E46))
my openssl command is:
openssl smime -sign -in manifest.json -out signature -signer push.pem -certfile AppleWWDRCA.pem -binary -inkey push.key -outform der

Can't get MD5 to get maps api key?

I made a map app for Android. But when I try to get the MD5 for Map API kety,using the command keytool.exe
-list -alias androiddebugkey
-keystore "C:\android\debug.keystore"
-storepass android -keypass android
I get only one sha1 and not the MD5. I am using jdk 7 and Windows 7 32 bit. Any help is much appreciated. Thanks.
With JDK 1.7 installed, keytool outputs by default SHA1 fingerprint, not MD5. Adding -v option allows to see MD5 as well.
-v for verbose..