Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKCS12 certificates cannot be used in FIPS environments #457

Open
jstaf opened this issue Oct 17, 2024 · 3 comments
Open

PKCS12 certificates cannot be used in FIPS environments #457

jstaf opened this issue Oct 17, 2024 · 3 comments

Comments

@jstaf
Copy link

jstaf commented Oct 17, 2024

trust-manager's .p12 certificates cannot be loaded on systems that enforce FIPS. Example CA bundle:

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: ca-bundle
spec:
  sources:
  - useDefaultCAs: true
  target:
    additionalFormats:
      pkcs12:
        key: ca-bundle.p12
        password: ""
    namespaceSelector:
      matchLabels:
        trust-manager/ca-bundle: enabled
    secret:
      key: ca-bundle.pem

And on a FIPS-enabled system, Java cannot load the ca-bundle.p12 certificate:

java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithSHA1AndRC2_40
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)

trust-manager should have an option to change the PKCS12 algorithm (not sure if I'm using the right words here to describe things) to a certificate format compatible with FIPS.

@erikgb
Copy link
Contributor

erikgb commented Oct 17, 2024

@jstaf, thanks for your interest in trust-manager and for opening this issue! 👋 trust-manager uses go-pkcs12 to encode PKCS#12 truststores, and we have discussed making the encoding configurable already. Do you think any of the provided encoders can support your FIPS requirement?

The relevant code is here:

func (e pkcs12Encoder) Encode(trustBundle *util.CertPool) ([]byte, error) {
var entries []pkcs12.TrustStoreEntry
for _, c := range trustBundle.Certificates() {
entries = append(entries, pkcs12.TrustStoreEntry{
Cert: c,
FriendlyName: certAlias(c.Raw, c.Subject.String()),
})
}
encoder := pkcs12.LegacyRC2
if e.password == "" {
encoder = pkcs12.Passwordless
}
return encoder.EncodeTrustStoreEntries(entries, e.password)
}
Do you want to submit a PR making the encoder configurable?

@inteon
Copy link
Member

inteon commented Oct 18, 2024

We support multiple PKCS12 encodings in cert-manager, we could also introduce it in trust-manager: https://github.com/cert-manager/cert-manager/blob/e1a1ea959aa23ed72d9d7614b34d58ef420ad1d2/pkg/apis/certmanager/v1/types_certificate.go#L521

@SgtCoDFish
Copy link
Member

I agree with @inteon and @erikgb - I think the Modern encoder might do the trick here, but I don't have an environment to be able ot test.

@jstaf - are you able to share some details of how you set up your Java env for this? Or a link to docs or something? At the moment, it would be tricky for us to test a fix for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants