Skip to content

Support triple DES certificate encryption#35

Closed
Marc-Pons wants to merge 1 commit intoSSLMate:masterfrom
Marc-Pons:desCertOpt
Closed

Support triple DES certificate encryption#35
Marc-Pons wants to merge 1 commit intoSSLMate:masterfrom
Marc-Pons:desCertOpt

Conversation

@Marc-Pons
Copy link
Copy Markdown

@Marc-Pons Marc-Pons commented Jun 21, 2022
edited
Loading

Add support to encrypt P12 certificates with triple DES. Pretty much equivalent to "-descert" flag of openssl.

I require this functionality because openssl 3 throws an error when trying to parse P12 that use RC2 algorithm when "-legacy" flag is not specified.

@Marc-Pons Marc-Pons mentioned this pull request Jun 21, 2022
Closed
@Marc-Pons
Copy link
Copy Markdown
Author

Marc-Pons commented Jul 5, 2022

Hi @AGWA, is there any chance this PR could be reviewed? Thank you!

@AGWA
Copy link
Copy Markdown
Member

AGWA commented Jul 5, 2022

I would rather not add support for a legacy algorithm. If the concern is OpenSSL 3 compatibility as indicated in #36, then presumably AES-256 support would address your use case?

@Marc-Pons
Copy link
Copy Markdown
Author

Marc-Pons commented Jul 8, 2022
edited
Loading

Hi @AGWA, thanks for taking your time replying. Actually I picked 3DES cause it was already supported in the library, just wanted to offer the possibility to encrypt P12's certs with it instead of RC2. However, I'm afraid that AES is not fully supported on old devices as is 3DES, so unfortunately AES is not an option in my case.

@pschou
Copy link
Copy Markdown

pschou commented Sep 15, 2022
edited
Loading

I'd recommend a different method, see #39 as passing in a config struct would allow different options to be set as desired. A default state is provided to build from.

With regards to pkcs12 needing multiple options: we have redhat 8 boxes which come with FIPS enabled by default. As the group needs to remain PCI compliant (credit card verification) files must be either AES or 3DES to not get flagged by the scanners.

So, disabling FIPS is not an option and some apps have limited to no support for AES encoded pkcs12 files. It's like being between a rock and a hard place. We have found 3DES makes everyone happy (for now).

Thank you for your consideration and time in making this module awesome 👍

AGWA added a commit that referenced this pull request Jul 14, 2023
@AGWA
Support encoding with different parameters
6046295 
Instead of calling pkcs12.Encode, call the Encode method of an Encoder.
(Likewise for EncodeTrustStore and EncodeTrustStoreEntries.)

The following Encoders are available:

* Legacy, for the current behavior.

* LegacyDESCerts, to use 3DES for encrypting certificates (Closes #36, Closes #35).

* Passwordless, to create password-less trust stores like Java 18 (Closes #10).

* Openssl3, to match OpenSSL's modern algorithm choices (Closes #47).

* Modern, to always use the most modern choices.
@AGWA AGWA mentioned this pull request Jul 14, 2023
Merged
@AGWA AGWA added the feature label Jul 15, 2023
@AGWA
Copy link
Copy Markdown
Member

AGWA commented Jul 15, 2023

Closing in favor of #48

@AGWA AGWA closed this Jul 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Marc-Pons @AGWA @pschou @MarcPsBn