From 1ca3d2cb26bbece28525701b6ca1fc3f0817a71a Mon Sep 17 00:00:00 2001 From: Lucas Smith Date: Thu, 5 Mar 2026 22:20:50 +1100 Subject: [PATCH] fix: install custom crypto engine before pkijs parseInternalValues When a P12 file uses legacy encryption (3DES, RC2) for its safe contents, pkijs needs our custom CryptoEngine during parseInternalValues(). Previously, the engine was only installed lazily on first getCrypto() call in extractPrivateKey(), which runs after parseInternalValues(). This caused 'Unknown contentEncryptionAlgorithm: 1.2.840.113549.1.12.1.3' when a legacy P12 was the first one opened in a process. Our tests masked this because AES tests always ran first, installing the engine as a side effect. --- src/signatures/signers/p12.ts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/signatures/signers/p12.ts b/src/signatures/signers/p12.ts index 4878d98..efda2ad 100644 --- a/src/signatures/signers/p12.ts +++ b/src/signatures/signers/p12.ts @@ -110,6 +110,12 @@ export class P12Signer implements Signer { options: P12SignerOptions = {}, ): Promise { try { + // Ensure our custom crypto engine is installed before any pkijs operations. + // pkijs's parseInternalValues() uses the engine internally to decrypt safe + // contents — if they use legacy algorithms (3DES, RC2), the default engine + // will fail with "Unknown contentEncryptionAlgorithm". + getCrypto(); + // Ensure we have a proper ArrayBuffer (not SharedArrayBuffer) const buffer = toArrayBuffer(p12Bytes);