Problems updating from 4.3.3.0 to 5.0.9.9

VCL TMS Cryptography Pack
1

Hello TMS Support,

we recently updated to the latest version of your CryptoPack/X509 components and encountered an issue when loading a PFX file using:

X.DecodeCertAndKeyFromPFX(PfxPath, PfxPass);
X.RSAExtractPrivateKey(X.KeyStr);

Problem 1 – Access Violation in ComputeHash

During DecodeCertAndKeyFromPFX, an Access Violation is raised inside this method:

procedure TX509Certificate.ComputeHash(inBlock: TBytes; var outHash: TBytes);
var
SHA1: TSHA1;
SHA2: TSHA2;
I: integer;
begin
...
for I := 1 to PFX.HmacIterations - 1 do begin
if PFX.HmacAlgorithm = '1.3.14.3.2.26' then begin
SHA1.BufferHash(outHash, outHash);
SHA1.Free; // <-- freed on first iteration, then reused → crash
end
else begin
SHA2.BufferHash(outHash, outHash);
SHA2.Free; // <-- same problem here
end;
end;
end;

The objects SHA1 / SHA2 are freed inside the loop, but are used again in the next iteration, which leads to an AV.

Commenting out the SHA*.Free prevents the crash, but results in the private key being empty, so RSAExtractPrivateKey receives an empty KeyStr.

Problem 2 – New SHA-256 PFX also fails (empty key)

To rule out SHA-1 related issues, we generated a new certificate:
MAC: SHA256
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, PRF hmacWithSHA256
PFX.HmacAlgorithm now returns: 2.16.840.1.101.3.4.2.1 (SHA-256)

Even with this modern PFX, the result is still:

  • no crash when removing the incorrect Free calls
  • but X.KeyStr is empty after DecodeCertAndKeyFromPFX

So currently we cannot extract the private key anymore.

Could you please:

  1. Confirm that the SHA1.Free / SHA2.Free inside the loop in ComputeHash is a defect?
  2. Provide a patch or updated version of DecodeCertAndKeyFromPFX that correctly handles SHA-256 PFX files (PBES2 + AES-256-CBC + HMAC-SHA256)?
  3. Advise whether there is a recommended OpenSSL command to generate PFX files fully compatible with the latest CryptoPack version.

We are currently blocked by this, because JWT signing for Salesforce depends on a working private key extraction.

Best regards,
Bernd

2

Hello Bernd,

Well, the ComputeHash procedure is indeed incorrect.

Please replace the sequence you flagged by:

  for I := 1 to PFX.HmacIterations - 1 do begin
    if PFX.HmacAlgorithm = '1.3.14.3.2.26' then
      SHA1.BufferHash(outHash, outHash)
    else
      SHA2.BufferHash(outHash, outHash);
  end;

  if PFX.HmacAlgorithm = '1.3.14.3.2.26' then
    SHA1.Free
  else
    SHA2.Free;

Can you send me your test PFX cert (and password)?

bernard@tmssoftware.com

Regards,
bernard

3

Here is a fix that works for me.

In X509Obj, ca line 5200:

      // RSA keys ONLY in this version
      if FPfx.DecryptedBlock[I] = ASNInteger then begin
        KeyStr := FRSA.ASNServices.ExtractRSAPrivateKey(FPfx.DecryptedBlock);
        FRSA.inputFormat     := raw;  //                               **<= ADD THIS**
        FRSA.modulus         := FRSA.ASNServices.RSAKeySet.modulus;
        FRSA.PublicExponent  := FRSA.ASNServices.RSAKeySet.publicExponent;
        FRSA.PrivateExponent := FRSA.ASNServices.RSAKeySet.privateExponent;
      end

Then in ASN1Core, ParsePkiMessage, ca line 1060, comment 3 lines:

//      Version := integer(Content[P]);
  //    if Version <> 0 then
    //    raise ECryptoPack.Create('ParsePkiMessage: Unsupported private key file version [01] (V = ' + IntToStr(Version) + ')');

I will issue a revised version ASAP but those two modifications should work for you.

Regards,

bernard