crypto.createCredentials PKCS12 not works

[tugrul]

crypto.createCredentials() don't resolve PKCS12 to PEM pkey and cert.

I'm trying to use Google's service API with node.js. But I should use oauth to authorize with p12. Following code don't resolve p12 to der format.

var crypto = require('crypto');
var fs = require("fs");

var p12 = fs.readFileSync("googleservice.p12");
var credentials = crypto.createCredentials({pfx: p12, passphrase: "notasecret"});

console.log(credentials);

output:

{ context: {} }

I could resolve p12 with openssl toolkit or php to der format. I'm trying to use der format for signer.

[bnoordhuis]

{ context: {} }

That's because the context doesn't have any enumerable properties, it's glue for a C++ object. What exactly is the problem?

[tugrul]

@bnoordhuis

PKCS12 is password protected container format for other certificates. This operation should resolve from PKCS12 to DER format.

Following code writen in PHP and has same operation.

<?php
$credentials = array();
$p12 = file_get_contents("privatekey.p12");
$password = 'notasecret';

openssl_pkcs12_read($p12, $credentials, $password);

print_r($credentials);

Result:

Array
(
    [cert] => -----BEGIN CERTIFICATE-----
there was a cert deleted by me
-----END CERTIFICATE-----

    [pkey] => -----BEGIN RSA PRIVATE KEY-----
there was a private key deleted by me
-----END RSA PRIVATE KEY-----

    [extracerts] => Array
        (
        )

)

[bnoordhuis]

This operation should resolve from PKCS12 to DER format.

Are you saying that you expect crypto.createCredentials() to create a textual representation of the PKCS12 input? What for?

[tugrul]

@bnoordhuis

I don't know. It is assumed that the operation. There isn't any use case about PKCS12 input on the documentation. There are definitions only on the documentations.

http://nodejs.org/api/crypto.html#crypto_crypto_createcredentials_details

*pfx : A string or buffer holding the PFX or PKCS12 encoded private key, certificate and CA certificates
*passphrase : A string of passphrase for the private key or pfx

Also I found this:
#2847

[bnoordhuis]

Sorry, I'm going to close this issue. We're down five messages and I'm still not sure what the question is.

[tugrul]

@bnoordhuis

There is a bug or documentation miss. Documentation says crypto.createCredentials() has PKCS12 support with weak information. I'm trying this function but I didn't any result with this function. It returns empty context object.

There are definitions about PKCS12 on documentation but there aren't any use case about this functionality. Actually I guess it because PKCS12 is password protected container format for private keys and certificates.

I want to documentation improvement if I use wrong this function.

Can you to check it? Is it bug? Is it documentation miss?

[bnoordhuis]

There are definitions about PKCS12 on documentation but there aren't any use case about this functionality

Okay, I think I'm following this time.

crypto.createCredentials() creates a credentials object that you can pass to tls.createSecurePair() (which most people will never need to do but that's another story). The credentials object itself is opaque and uninteresting.

PKCS12 support in node.js is mostly restricted to the ability to load PFX files which can then be used to set up a TLS server or connection. It's possible to add functionality that lets you extract the key and certificates in PEM format but you'd have to convince me of the why first.

If you tell me what parts of the documentation are unclear and why, I'll update them.

[tugrul]

After I have looked tls.createSecurePair(), I understood crypto.createCredentials()'s credentials object.

But I think this detail may be on this page: http://nodejs.org/api/crypto.html#crypto_crypto_createcredentials_details

It's possible to add functionality that lets you extract the key and certificates in PEM format but you'd have to convince me of the why first.

It's required for me when i want to make Google Service API client. Google API console provides me PKCS12 certificate for service-service authorization. I should extract PEM private key inside from PKCS12 to signing JWT request in runtime. You can see about information this pages:
https://developers.google.com/console/help/#service_accounts
https://developers.google.com/accounts/docs/OAuth2ServiceAccount

Also I added part of Official Google PHP API Client's jwt signer:

<?php
/*
 * Copyright 2011 Google Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

/**
 * Signs data.
 *
 * @author Brian Eaton <beaton@google.com>
 */
abstract class Google_Signer {
  /**
   * Signs data, returns the signature as binary data.
   */
  abstract public function sign($data);
}

/**
 * Signs data.
 *
 * Only used for testing.
 *
 * @author Brian Eaton <beaton@google.com>
 */
class Google_P12Signer extends Google_Signer {
  // OpenSSL private key resource
  private $privateKey;

  // Creates a new signer from a .p12 file.
  function __construct($p12, $password) {
    if (!function_exists('openssl_x509_read')) {
      throw new Exception(
          'The Google PHP API library needs the openssl PHP extension');
    }

    // This throws on error
    $certs = array();
    if (!openssl_pkcs12_read($p12, $certs, $password)) {
      throw new Google_AuthException("Unable to parse the p12 file.  " .
          "Is this a .p12 file?  Is the password correct?  OpenSSL error: " .
          openssl_error_string());
    }
    // TODO(beaton): is this part of the contract for the openssl_pkcs12_read
    // method?  What happens if there are multiple private keys?  Do we care?
    if (!array_key_exists("pkey", $certs) || !$certs["pkey"]) {
      throw new Google_AuthException("No private key found in p12 file.");
    }
    $this->privateKey = openssl_pkey_get_private($certs["pkey"]);
    if (!$this->privateKey) {
      throw new Google_AuthException("Unable to load private key in ");
    }
  }

  function __destruct() {
    if ($this->privateKey) {
      openssl_pkey_free($this->privateKey);
    }
  }

  function sign($data) {
    if (!openssl_sign($data, $signature, $this->privateKey, "sha256")) {
      throw new Google_AuthException("Unable to sign data");
    }
    return $signature;
  }
}

[bnoordhuis]

Okay, reopening the issue.