wolfSSL 5.8.2 has enhanced the wc_PKCS12_create() function to support modern AES encryption algorithms for PKCS#12 files. This update enables stronger security for protecting private keys and certificates.
What Changed
PKCS#12 files are commonly used to store cryptographic objects like private keys, certificates, and certificate chains. wolfSSL 5.8.2 supports modern AES encryptions for PKCS#12 instead of the legacy one on older wolfSSL.
The new enhancement adds support for:
- PBE_AES256_CBC: AES-256 encryption in CBC mode
- PBE_AES128_CBC: AES-128 encryption in CBC mode
Both algorithms can be used independently for encrypting private keys and certificates, allowing flexibility in security configurations.
Security Benefits
AES (Advanced Encryption Standard) is the current industry standard for encryption, approved by NIST and widely trusted for protecting sensitive data. AES-256 provides 256 bits of security, making it resistant to brute-force attacks, while AES-128 offers 128 bits of security suitable for most applications.
Technical Implementation
The implementation uses PKCS#5 v2 (PBES2) with PBKDF2 key derivation using HMAC-SHA256. This ensures proper password-based key generation and secure encryption of PKCS#12 content.
Usage
To use AES encryption, ensure your build includes:
HAVE_AES_CBCenabledWOLFSSL_ASN_TEMPLATEenabled (required for certificate encryption)WOLFSSL_AES_256orWOLFSSL_AES_128enabled- SHA support (for key derivation)
When creating PKCS#12 files, you can now specify PBE_AES256_CBC or PBE_AES128_CBC as the encryption algorithm for both keys and certificates. Invoking PKCS12_create() function with specifying the AES algorithms to nidKey and/or nidCert arguments enables stronger encryptions.
This feature is available in wolfSSL 5.8.2 and later releases, providing improved security and compliance with modern cryptographic standards for PKCS#12 files.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now