Support Secure (non-legacy) OpenSSL v3 PKCS12 Algorithms

[zamnuts]

Is your feature request related to a problem? Please describe.

Services that use openssl v3 and don't support the "legacy" flag cannot use PKCS12 keystores created by cert-manager.

cert-manager has the ability to create a PKCS12 keystore. cert-manager encrypts the PKCS7 key with RC2-40-CBC and a SHA1 MAC (pbeWithSHA1And40BitRC2-CBC). This is dictated by the hardcoded algorithm used in the go-pkcs12 dependency.

In openssl version 3, the RC2 algorithm is now considered "legacy" and AES 256-bit or greater with SHA-256 should be used instead.

Here's an example of a keystore generated by cert-manager:

$ openssl pkcs12 -in keystore.p12 -info
Enter Import Password:
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
...

Describe the solution you'd like
Allow configuration of the algorithms for encryption and MAC so that AES-256-CBC with SHA-256 can be used for newer services, while allowing RC2-40-CBC with SHA1 for backwards compatibility.

Describe alternatives you've considered
Current workaround is to downgrade the services that use openssl v3 to when they supported openssl v1, however this means those services can no longer be patched/upgraded!

Additional context
cert-manager's pkcs12 implementation currently does not allow specifying an algorithm because the upstream (go-pkcs12) is hard-coded to use RC2-40-CBC, per the software.sslmate.com/src/go-pkcs12 docs:

EncodeTrustStore creates a single SafeContents that's encrypted with RC2 and contains the certificates.

There's a PR open against sslmate's go-pkcs12 module that adds support for picking other algos that would satisfy this feature request, if only it would be merged: SSLMate/go-pkcs12#39.

Environment details (remove if not applicable):

• Kubernetes version: 1.25.8
• Cloud-provider/provisioner: nocloud
• cert-manager version: 1.11.1
• Install method: helm

/kind feature

[VxDlH]

Hi,

Thx @zamnuts for this issue.

If possible I would like to specify the following parameters when creating the keystore:

-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256

With these parameters the output should look like

$ openssl pkcs12 -in keystore.p12 -info
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Bag Attributes
    localKeyID: 9D C7 7A AE DC B7 DD 9F A6 1D BD D3 C2 50 49 72 14 20 92 40 

Best regards

[zamnuts]

Workaround is possible using an init container to re-encrypt the pkcs12 file. caveat: you must restart the pod once the certificate changes (using stakater/Reloader helps)

• use an emptydir to store the re-encrypted p12, this will be mounted to the main container instead of the cert-manager p12 file
• use an init container with openssl v3 installed (this one installs openssl on the fly, warning: not a good idea)
• ensure the init container knows the pkc12 encryption password that is used by cert manager

...
      initContainers:
        - name: pkcs12-reencrypt
          image: ubuntu:22.04
          command:
            - /bin/sh
            - -c
          args:
            - apt update && apt install openssl -y &&
              openssl pkcs12 -legacy -in /certs/keystore.p12 -passin file:/pkcs12-password/password -noenc -out /tmp/temp.pem &&
              openssl pkcs12 -export -out /p12/keystore.p12 -passout file:/pkcs12-password/password -in /tmp/temp.pem &&
              rm -f /tmp/temp.pem
          volumeMounts:
            - name: certs
              mountPath: /certs
              readOnly: true
            - name: p12
              mountPath: /p12
              readOnly: false
            - name: pkcs12-password
              mountPath: /pkcs12-password
              readOnly: true
      containers:
        - name: foo
          image: bar:latest
          volumeMounts:
            - name: p12
              mountPath: /certs
              readOnly: true
            - name: pkcs12-password
              mountPath: /pkcs12-password
              readOnly: true
      volumes:
        - name: certs
          secret:
            secretName: cert-manager-signed-cert-with-key
        - name: pkcs12-password
          secret:
            secretName: cert-manager-pkcs12-password
        - name: p12
          emptyDir: {}

openssl v3 uses a secure encryption cipher by default, i.e. the result is:

root@pkcs12-test-66cc566f6d-rc4k6:/# openssl pkcs12 -in /certs/keystore.p12 -passin file:/pkcs12-password/password -info -noenc
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

[Tookmund]

The initial implementation in SSLMate/go-pkcs12#39 does not fully support the new default used by OpenSSL v3, as it does not support encoding in PBES2.
I've enhanced this PR in SSLMate/go-pkcs12#47 to fully support encoding in the new format.

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[VxDlH]

/remove-lifecycle stale

[zagr0]

It's finally released
SSLMate/go-pkcs12#48 (comment)

[DmytroShalaiev]

So go-pkcs ready, what about the current issue?