Score:0

Verify two pfx certificates are not the same without the password

cn flag

I need to verify that two pfx files are indeed different certificates, and not the same data pasted two times. My constraints are:

  • I don't have access to the certificate password, therefore I cannot use tools like "certutil -dump path" etc.
  • As explained, I cannot rely on the file metadata (creation date, etc.) because I want to verify that the content is actually different.

I understand that the pfx file itself, sitting in the OS' filesystem, will have some metadata (file creation date, etc.) and actual data. I wonder if all the content of the pfx is ciphertext, since it is password protected, or if it contains also some structure like sections, where there is some ciphertext but also some accessible data like certificate ID etc. Obviously I opened both files with a plaintext editor and the content is very different, due to encryption, but I am not sure if I would be able to find common blocks if both certificates where, indeed, the same one.

Score:1
in flag

Unfortunately that is hard to do reliably. Depends on how it was stored, See https://security.stackexchange.com/questions/177874/extract-information-about-certificate-from-a-pfx-file-without-the-password?rq=1

If you are unlucky all data is encrypted. In that case you can compare file contents, but binary data can be completely different, even when they contain the same certificate.

Post with information on how to read PFX files

Silverman avatar
cn flag
Ah yes, the link you provided suggests there is the possibility for containers containing ciphertext, or complete ciphertext from start to finish. Do you have any idea of which file viewer could be used to interpret those sections, if existing?
in flag
@Silverman Link added to answer
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.