Add option for PKCS#12 algorithm

[jstaf]

trust-manager's .p12 certificates cannot be loaded on systems that enforce FIPS. Example CA bundle:

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: ca-bundle
spec:
  sources:
  - useDefaultCAs: true
  target:
    additionalFormats:
      pkcs12:
        key: ca-bundle.p12
        password: ""
    namespaceSelector:
      matchLabels:
        trust-manager/ca-bundle: enabled
    secret:
      key: ca-bundle.pem

And on a FIPS-enabled system, Java cannot load the ca-bundle.p12 certificate:

java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithSHA1AndRC2_40
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)

trust-manager should have an option to change the PKCS12 algorithm (not sure if I'm using the right words here to describe things) to a certificate format compatible with FIPS.

[erikgb]

@jstaf, thanks for your interest in trust-manager and for opening this issue! 👋 trust-manager uses go-pkcs12 to encode PKCS#12 truststores, and we have discussed making the encoding configurable already. Do you think any of the provided encoders can support your FIPS requirement?

The relevant code is here:

trust-manager/pkg/bundle/internal/truststore/types.go

Lines 92 to 108 in 6fb237b

	func (e pkcs12Encoder) Encode(trustBundle *util.CertPool) ([]byte, error) {
	var entries []pkcs12.TrustStoreEntry
	for _, c := range trustBundle.Certificates() {
	entries = append(entries, pkcs12.TrustStoreEntry{
	Cert: c,
	FriendlyName: certAlias(c.Raw, c.Subject.String()),
	})
	}
	encoder := pkcs12.LegacyRC2
	if e.password == "" {
	encoder = pkcs12.Passwordless
	}
	return encoder.EncodeTrustStoreEntries(entries, e.password)
	}

Do you want to submit a PR making the encoder configurable?

[inteon]

We support multiple PKCS12 encodings in cert-manager, we could also introduce it in trust-manager: https://github.com/cert-manager/cert-manager/blob/e1a1ea959aa23ed72d9d7614b34d58ef420ad1d2/pkg/apis/certmanager/v1/types_certificate.go#L521

[SgtCoDFish]

I agree with @inteon and @erikgb - I think the Modern encoder might do the trick here, but I don't have an environment to be able ot test.

@jstaf - are you able to share some details of how you set up your Java env for this? Or a link to docs or something? At the moment, it would be tricky for us to test a fix for this.

[cert-manager-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[arsenalzp]

As a new request has been arisen in the issue #528, can we consider implement ciphers choosing capability in trust-manager?

[cert-manager-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale

[SgtCoDFish]

/remove-lifecycle rotten

As a new request has been arisen in the issue #528, can we consider implement ciphers choosing capability in trust-manager?

I think #528 is very different to this. Focusing specifically on this issue, I'd accept a PR which allowed users to choose formats for their PKCS#12 certs, similar to cert-manager. I still think that would solve this issue. I'll reply on #528 too.

[arsenalzp]

/remove-lifecycle rotten

As a new request has been arisen in the issue #528, can we consider implement ciphers choosing capability in trust-manager?

I think #528 is very different to this. Focusing specifically on this issue, I'd accept a PR which allowed users to choose formats for their PKCS#12 certs, similar to cert-manager. I still think that would solve this issue. I'll reply on #528 too.

Yes, I already figured with out with the requestor that issue #528 is for adding minimum TLS version and cipher suites parameters. I'm already working on it.
Once corresponding PR is accepted I can work on this particular issue.

[erikgb]

/good-first-issue

[cert-manager-prow]

@erikgb:
This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.

Details

In response to this:

/good-first-issue

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.