Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS12 certificates cannot be used in FIPS environments #457

Open
jstaf opened this issue Oct 17, 2024 · 8 comments
Open

PKCS12 certificates cannot be used in FIPS environments #457

jstaf opened this issue Oct 17, 2024 · 8 comments

Comments

@jstaf
Copy link

jstaf commented Oct 17, 2024

trust-manager's .p12 certificates cannot be loaded on systems that enforce FIPS. Example CA bundle:

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: ca-bundle
spec:
  sources:
  - useDefaultCAs: true
  target:
    additionalFormats:
      pkcs12:
        key: ca-bundle.p12
        password: ""
    namespaceSelector:
      matchLabels:
        trust-manager/ca-bundle: enabled
    secret:
      key: ca-bundle.pem

And on a FIPS-enabled system, Java cannot load the ca-bundle.p12 certificate:

java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithSHA1AndRC2_40
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)

trust-manager should have an option to change the PKCS12 algorithm (not sure if I'm using the right words here to describe things) to a certificate format compatible with FIPS.
@erikgb
Copy link
Contributor

erikgb commented Oct 17, 2024
edited
Loading

@jstaf, thanks for your interest in trust-manager and for opening this issue! 👋 trust-manager uses go-pkcs12 to encode PKCS#12 truststores, and we have discussed making the encoding configurable already. Do you think any of the provided encoders can support your FIPS requirement?

The relevant code is here:

trust-manager/pkg/bundle/internal/truststore/types.go

Lines 92 to 108 in 6fb237b

func (e pkcs12Encoder) Encode(trustBundle *util.CertPool) ([]byte, error) {
var entries []pkcs12.TrustStoreEntry
for _, c := range trustBundle.Certificates() {
entries = append(entries, pkcs12.TrustStoreEntry{
Cert: c,
FriendlyName: certAlias(c.Raw, c.Subject.String()),
})
}
encoder := pkcs12.LegacyRC2
if e.password == "" {
encoder = pkcs12.Passwordless
}
return encoder.EncodeTrustStoreEntries(entries, e.password)
}
Do you want to submit a PR making the encoder configurable?

@inteon
Copy link
Member

inteon commented Oct 18, 2024

We support multiple PKCS12 encodings in cert-manager, we could also introduce it in trust-manager: https://github.com/cert-manager/cert-manager/blob/e1a1ea959aa23ed72d9d7614b34d58ef420ad1d2/pkg/apis/certmanager/v1/types_certificate.go#L521

@SgtCoDFish
Copy link
Member

I agree with @inteon and @erikgb - I think the Modern encoder might do the trick here, but I don't have an environment to be able ot test.

@jstaf - are you able to share some details of how you set up your Java env for this? Or a link to docs or something? At the moment, it would be tricky for us to test a fix for this.

@cert-manager-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

@cert-manager-prow cert-manager-prow bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 16, 2025
@arsenalzp
Copy link
Contributor

arsenalzp commented Jan 19, 2025
edited
Loading

As a new request has been arisen in the issue #528, can we consider implement ciphers choosing capability in trust-manager?

@cert-manager-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale

@cert-manager-prow cert-manager-prow bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 18, 2025
@SgtCoDFish
Copy link
Member

/remove-lifecycle rotten

As a new request has been arisen in the issue #528, can we consider implement ciphers choosing capability in trust-manager?

I think #528 is very different to this. Focusing specifically on this issue, I'd accept a PR which allowed users to choose formats for their PKCS#12 certs, similar to cert-manager. I still think that would solve this issue. I'll reply on #528 too.

@cert-manager-prow cert-manager-prow bot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Feb 24, 2025
@arsenalzp
Copy link
Contributor

/remove-lifecycle rotten

As a new request has been arisen in the issue #528, can we consider implement ciphers choosing capability in trust-manager?

I think #528 is very different to this. Focusing specifically on this issue, I'd accept a PR which allowed users to choose formats for their PKCS#12 certs, similar to cert-manager. I still think that would solve this issue. I'll reply on #528 too.

Yes, I already figured with out with the requestor that issue #528 is for adding minimum TLS version and cipher suites parameters. I'm already working on it.
Once corresponding PR is accepted I can work on this particular issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@erikgb @SgtCoDFish @jstaf @inteon @arsenalzp @cert-manager-bot