Mbed TLS is now part of TrustedFirmware.org.

Hello,is mbedtls support pkcs12?

Feb 17, 2017 09:52

I use stm32 and C to decrypt RSA,and have a encrypted pkcs12 cert(also have password),enc and dec with RSA was already OK,but can not parse the pkcs12 cert. Now I already get the pkcs8 priKey date from pkcs12 cert,and know the algorithm is MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC,but it seems cant decrypt it with RC2_40_CBC. I am not sure,does it have some ways? Thanks.

Feb 20, 2017 09:27
Ron Eldor

Hi Maya,
MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC is not supported in mbed TLS. RC2 has its disadvantages, security being one of them. You can use other PKCS12 algorithms, such as MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC.
mbed TLS Team member

Feb 21, 2017 01:11


Mar 7, 2017 07:10

hi mayahs: i want to get pubkey and prikey from pfx certificate,Which interface or algorithm can be implemented´╝č thanks.

Mar 19, 2018 09:52


is there an example how to use the mbedtls-stack with PKCS#12?

I tried the following stepps, but I had no luck:

  1. I generated a key + cetificate with openssl:
    openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

  2. I generated pkcs#12 with these files:
    openssl pkcs12 -export -out ssl_pkcs12.pfx -inkey key.pem -in cert.pem -certpbe PBE-SHA1-RC4-128 -keypbe PBE-SHA1-RC4-128

  3. I tried do decode the pkcs#12 file with the mbedtls example "pk_decrypt".
    This throws the error "PK - Invalid key tag or value". (-0x3D00)
    It seems that the ASN1-Parser has a problem with the version tag of the pkcs#12-file.

What am I doing wrong?

Greetings, Heiko