fix: install custom crypto engine before pkijs parseInternalValues (#44)

Mythie · web-flow · commit 743090389360 · 2026-03-05T22:22:04.000+11:00
When a P12 file uses legacy encryption (3DES, RC2) for its safe contents,
pkijs needs our custom CryptoEngine during parseInternalValues(). Previously,
the engine was only installed lazily on first getCrypto() call in
extractPrivateKey(), which runs after parseInternalValues().

This caused 'Unknown contentEncryptionAlgorithm: 1.2.840.113549.1.12.1.3'
when a legacy P12 was the first one opened in a process. Our tests masked
this because AES tests always ran first, installing the engine as a side
effect.
diff --git a/src/signatures/signers/p12.ts b/src/signatures/signers/p12.ts
@@ -110,6 +110,12 @@ export class P12Signer implements Signer {
     options: P12SignerOptions = {},
   ): Promise<P12Signer> {
     try {
+      // Ensure our custom crypto engine is installed before any pkijs operations.
+      // pkijs's parseInternalValues() uses the engine internally to decrypt safe
+      // contents — if they use legacy algorithms (3DES, RC2), the default engine
+      // will fail with "Unknown contentEncryptionAlgorithm".
+      getCrypto();
+
       // Ensure we have a proper ArrayBuffer (not SharedArrayBuffer)
       const buffer = toArrayBuffer(p12Bytes);
 
