pkcs12.serialize_key_and_certificates does not produce a valid PKCS #12 client certificate bundle in cryptography >= 43.0.0

[blackm0re]

Tested Python versions 3.11, 3.12
Tested cryptography versions: 42.0.8, 43.0.0, 43.0.0.3
cffi 1.17.1
setuptools 74.1.3
pip 24.2

Installing:
python -m venv venvC43
source venvC43/bin/activate
pip install cryptography==

Reproducing:
Running the attached code
pkcs12_example.py.txt
using cryptography >= 43.0.0 completes without error. The resulting bundle is rejected (after prompting and receiving correct password) by Mozilla Firefox and Google Chrome with the following error message:

"The PKCS #12 operation failed for unknown reasons"

Running exactly the same code with cryptography 42.0.8 produces a bundle that is accepted by the browsers.

[alex]

I'm almost positive this is because they do not support the default encryption mode, as documented: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/serialization/#cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates

You can follow the example to use PBESv1SHA1And3KeyTripleDESCBC instead.

[blackm0re]

I get exactly the same result when using the exact example above (pkcs12.PBES.PBESv1SHA1And3KeyTripleDESCBC):
Works with 42.0.8, does not work with 43.0.3

No Windows or MacOS involved either.

I see that the serialization code went through some refactoring 4 months ago.

[alex]

Are you by chance able to test with main from git and see if that fixes it?

…

On Sun, Nov 10, 2024, 11:10 AM Simeon Simeonov ***@***.***> wrote: I get exactly the same result when using the exact example above (pkcs12.PBES.PBESv1SHA1And3KeyTripleDESCBC): Works with 42.0.8, does not work with 43.0.3 Not Windows or MacOS involved either. I see that the serialization code went through some refactoring 4 months ago. — Reply to this email directly, view it on GitHub <#11927 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBH5UEZORF2HGQLUXT3Z76AQ5AVCNFSM6AAAAABRQEPEXWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINRWG44TENZTGU> . You are receiving this because you commented.Message ID: ***@***.***>

[blackm0re]

After performing the following steps:
git clone https://github.com/pyca/cryptography.git
cd cryptography
python -m build .

Getting:
Built wheel for abi3 Python ≥ 3.7 to /tmp/build-via-sdist-url3g36u/cryptography-44.0.0.dev1/target/wheels/cryptography-44.0.0.dev1-cp37-abi3-linux_x86_64.whl
/tmp/build-via-sdist-url3g36u/cryptography-44.0.0.dev1/target/wheels/cryptography-44.0.0.dev1-cp37-abi3-linux_x86_64.whl
Successfully built cryptography-44.0.0.dev1.tar.gz and cryptography-44.0.0.dev1-cp37-abi3-linux_x86_64.whl

Then:
python -m venv venvCDev
source venvCDev/bin/activate
pip install dist/cryptography-44.0.0.dev1-cp37-abi3-linux_x86_64.whl

The above code runs and produces a valid bundle (both with pkcs12.PBES.PBESv1SHA1And3KeyTripleDESCBC and pkcs12.PBES.PBESv2SHA256AndAES256CBC)

[alex]

Ok, I think that means that b5a312f is the fix. It'll be included in the next release.

[blackm0re]

Good news :)
Which release would that be? 44.0.0 or 43.0.4?

[alex]

44.0

[github-actions]

This issue has been waiting for a reporter response for 3 days. It will be auto-closed if no activity occurs in the next 5 days.