PKCS12 Test Fixtures
TODO: REPLACE PKCS12 FILES, CERTS, AND KEYS.
Temporarily removed until we regenerate them ourselves.
These PKCS12 files are used to test different scenarios. Each has an empty password.
Including -noiter
uses a single encryption iteration, and -nomaciter
uses a single MAC verification iteration.
This makes each P12 keystore much quicker to parse.
Commands to generate files:
# Generate a PKCS12 file with an EE cert and CA cert, but no EE key
cat opensearch.crt ca.crt | openssl pkcs12 -export -noiter -nomaciter -passout pass: -nokeys -out no_key.p12
# Generate a PKCS12 file with an EE key and EE cert, but no CA cert
cat opensearch.key opensearch.crt | openssl pkcs12 -export -noiter -nomaciter -passout pass: -out no_ca.p12
# Generate a PKCS12 file with an EE key, EE cert, and two CA certs
cat opensearch.key opensearch.crt ca.crt ca.crt | openssl pkcs12 -export -noiter -nomaciter -passout pass: -out two_cas.p12
# Generate a PKCS12 file with two EE keys and EE certs
cat opensearch.key opensearch.crt | openssl pkcs12 -export -noiter -nomaciter -passout pass: -out two_keys.p12
cat opensearch_dashboards.key opensearch_dashboards.crt | openssl pkcs12 -export -noiter -nomaciter -passout pass: -name 2 -out tmp.p12
keytool -importkeystore -srckeystore tmp.p12 -srcstorepass '' -destkeystore two_keys.p12 -deststorepass '' -deststoretype PKCS12
rm tmp.p12
No commonly available tools seem to be able to generate a PKCS12 file with a key and no certificate, so we use node-forge to do that:
const utils = require('@osd/dev-utils');
const forge = require('node-forge');
const fs = require('fs');
const pemCA = fs.readFileSync(utils.CA_CERT_PATH, 'utf8');
const pemKey = fs.readFileSync(utils.OPENSEARCH_KEY_PATH, 'utf8');
const privateKey = forge.pki.privateKeyFromPem(pemKey);
const p12Asn = forge.pkcs12.toPkcs12Asn1(privateKey, pemCA, null, {
useMac: false,
generateLocalKeyId: false,
});
const p12Der = forge.asn1.toDer(p12Asn).getBytes();
fs.writeFileSync('no_cert.p12', p12Der, { encoding: 'binary' });