Skip to content

add Encode function with friendly names for cert and/or key #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

add Encode function with friendly names for cert and/or key #70

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d55ee70
Add EncodeWithFriendlyName method to support friendly names for key a…
frans-otogone Nov 18, 2025
e862ffa
increase code reuse in pkcs12_test.go
frans-otogone Nov 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 87 additions & 1 deletion pkcs12.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -625,6 +625,31 @@ func Encode(rand io.Reader, privateKey interface{}, certificate *x509.Certificat
// the end-entity certificate bag have the LocalKeyId attribute set to the SHA-1
// fingerprint of the end-entity certificate.
func (enc *Encoder) Encode(privateKey interface{}, certificate *x509.Certificate, caCerts []*x509.Certificate, password string) (pfxData []byte, err error) {
return enc.EncodeWithFriendlyName(privateKey, certificate, caCerts, password, "", "")
}

// EncodeWithFriendlyName produces pfxData containing one private key (privateKey), an
// end-entity certificate (certificate), and any number of CA certificates
// (caCerts).
//
// The pfxData is encrypted and authenticated with keys derived from
// the provided password.
//
// If keyFriendlyName is non-empty, it will be set as the friendly name (alias) for
// the private key. If keyFriendlyName is empty, no friendly name attribute will be added
// to the private key.
//
// If certFriendlyName is non-empty, it will be set as the friendly name (alias) for
// the end-entity certificate. If certFriendlyName is empty, no friendly name attribute
// will be added to the certificate.
//
// EncodeWithFriendlyName emulates the behavior of OpenSSL's PKCS12_create: it creates two
// SafeContents: one that's encrypted with the certificate encryption algorithm
// and contains the certificates, and another that is unencrypted and contains the
// private key shrouded with the key encryption algorithm. The private key bag and
// the end-entity certificate bag have the LocalKeyId attribute set to the SHA-1
// fingerprint of the end-entity certificate.
func (enc *Encoder) EncodeWithFriendlyName(privateKey interface{}, certificate *x509.Certificate, caCerts []*x509.Certificate, password string, keyFriendlyName string, certFriendlyName string) (pfxData []byte, err error) {
if enc.macAlgorithm == nil && enc.certAlgorithm == nil && enc.keyAlgorithm == nil && password != "" {
return nil, errors.New("pkcs12: password must be empty")
}
Expand All @@ -647,8 +672,40 @@ func (enc *Encoder) Encode(privateKey interface{}, certificate *x509.Certificate
return nil, err
}

// Build certificate attributes
certAttributes := []pkcs12Attribute{localKeyIdAttr}

// Add friendly name attribute to certificate if provided
if certFriendlyName != "" {
bmpFriendlyName, err := bmpString(certFriendlyName)
if err != nil {
return nil, err
}

encodedFriendlyName, err := asn1.Marshal(asn1.RawValue{
Class: 0,
Tag: 30,
IsCompound: false,
Bytes: bmpFriendlyName,
})
if err != nil {
return nil, err
}

certFriendlyNameAttr := pkcs12Attribute{
Id: oidFriendlyName,
Value: asn1.RawValue{
Class: 0,
Tag: 17,
IsCompound: true,
Bytes: encodedFriendlyName,
},
}
certAttributes = append(certAttributes, certFriendlyNameAttr)
}

var certBags []safeBag
if certBag, err := makeCertBag(certificate.Raw, []pkcs12Attribute{localKeyIdAttr}); err != nil {
if certBag, err := makeCertBag(certificate.Raw, certAttributes); err != nil {
return nil, err
} else {
certBags = append(certBags, *certBag)
Expand Down Expand Up @@ -682,6 +739,35 @@ func (enc *Encoder) Encode(privateKey interface{}, certificate *x509.Certificate
}
keyBag.Attributes = append(keyBag.Attributes, localKeyIdAttr)

// Add friendly name attribute to key if provided
if keyFriendlyName != "" {
bmpFriendlyName, err := bmpString(keyFriendlyName)
if err != nil {
return nil, err
}

encodedFriendlyName, err := asn1.Marshal(asn1.RawValue{
Class: 0,
Tag: 30,
IsCompound: false,
Bytes: bmpFriendlyName,
})
if err != nil {
return nil, err
}

friendlyNameAttr := pkcs12Attribute{
Id: oidFriendlyName,
Value: asn1.RawValue{
Class: 0,
Tag: 17,
IsCompound: true,
Bytes: encodedFriendlyName,
},
}
keyBag.Attributes = append(keyBag.Attributes, friendlyNameAttr)
}

// Construct an authenticated safe with two SafeContents.
// The first SafeContents is encrypted and contains the cert bags.
// The second SafeContents is unencrypted and contains the shrouded key bag.
Expand Down
Loading