Installing pcks12 certificate in android "wrong password" bug

Question

When trying to import a pkcs12 certificate file into android for use with the openvpn connect app, I am prompted to input a password. This is the password relevant to this pkcs12 file. I proceed to input the correct password and am met with a "incorrect password" message.

To confirm that it is not the file that is faulty, I then tried to install the same certificate on a windows computer, where the same password was accepted and the certificate was installed without issue.

This was tested on two different smartphones running android 11 security update 2022-02-05.

Has anyone seen this issue before? I can only find similar issues online with no resolution.

Answer 1

I had the same issue. It took me about a month to figure it out.

The tl;dr is this:

$ openssl pkcs12 -nodes < your.p12 > /tmp/certbag.pem
$ openssl pkcs12 -export -legacy -in /tmp/certbag.pem > /tmp/legacy.p12

Then use legacy.p12.

Apparently Android cannot import newer pkcs12 files. I tried this on Android 12 and Android 13. This is what man openssl-pkcs12 says for -legacy:

In the legacy mode, the default algorithm for certificate encryption is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled in the build. The default algorithm for private key encryption is 3DES_CBC. If the legacy option is not specified, then the legacy provider is not loaded and the default encryption algorithm for both certificates and private keys is AES_256_CBC with PBKDF2 for key derivation.

Using openssl pkcs12 -info in my case I see this on the original .p12 file, which was created using Python's PyCryptography PKCS12 support:

MAC: sha256, Iteration 1
MAC length: 32, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 20000

And using openssl pkcs12 -info -legacy on the converted .p12 file I see this:

MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048

The original one fails to import while the converted (legacy one) imports perfectly well.

Answer 2

In case anyone is struggling with GnuTLS certtool...

TL;DR this should work with both Android 9 & Android 12:

certtool --load-privkey client.key --load-certificate client.crt \
    --load-ca-certificate ca.crt \
    --to-p12 --outder --outfile client.p12 \
    --p12-name "A Friendly Name" \
    --hash SHA1 --pkcs-cipher 3des-pkcs12 --password YourPassword

Explanation

When creating PKCS#12 files, you have to choose MAC hash algorithm (--hash=xxx) and cipher algorithm (--pkcs-cipher=xxx). From my test, Android support is as below.

Hash Algorithm	Cipher Algorithm	Android 9	Android 12
(any)	aes-128, aes-192, aes-256	no	no
SHA384, SHA512	3des-pkcs12	no	no
SHA256	3des-pkcs12	yes	no
SHA1	3des-pkcs12	yes	yes
SHA256	rc2-40	yes	no
SHA1	rc2-40	yes	yes

As can be seen above, Android 9 actually supports both SHA256 and SHA1 as MAC, but Android 12 somehow only supports SHA1.
In certtool, the default MAC hash algorithm is SHA256 even if you choose --pkcs-cipher=3des-pkcs12. Therefore you have to explicitly specify --hash=SHA1, otherwise the p12 file won't work for Android 12.

Other comments

• Tested phones are Xperia XZ1 Compact (G8441, Android 9) and Xperia 10 ii (XQ-AU52, Android 12).
• certtool default MAC iteration is 600000 (compared to openssl's 2048). This paranoid setting results several seconds slowness when installing .p12 files on phones & PCs. I haven't found a parameter to change this iteration (openssl 3.x specifies by -iter).