View Source ExFiskal.Cryptography (ExFiskal v1.3.0)
Cryptographic operations for Croatian fiscal (fiskalizacija) certificates.
OpenSSL Legacy Support
This module uses the -legacy flag when parsing PKCS12 certificates. This is
required because FINA (Croatian Financial Agency) issues certificates using
legacy encryption algorithms that OpenSSL 3.x disabled by default:
| Era | Certificate PBE | Key PBE |
|---|---|---|
| Pre-Sept 2021 | RC2-40-CBC | 3DES-CBC |
| OpenSSL 3.x+ | AES-256-CBC | AES-256-CBC |
Certificates issued before September 2021 (when OpenSSL 3.0 was released) use
pbeWithSHA1And40BitRC2-CBC for certificate encryption and pbeWithSHA1And3-KeyTripleDES-CBC
for key encryption. Without the -legacy flag, OpenSSL 3.x fails with:
PKCS12_parse: unsupported (Algorithm (RC2-40-CBC : 0), Properties ())The -legacy flag is safe for modern certificates (no negative impact on AES-256-CBC)
while being required for production FINA certificates that may use RC2/3DES.