Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

switch to AES-256-CBC by default for encrypted serialization of PKCS12 #7178

Closed
wants to merge 2 commits into from
Closed

switch to AES-256-CBC by default for encrypted serialization of PKCS12 #7178

wants to merge 2 commits into from

Conversation

reaperhulk
Copy link
Member

Add fallback LegacyPKCS12TripleDESEncryption for compatibility with The Past(tm)

fixes #7043

@reaperhulk
switch to AES-256-CBC by default for encrypted serialization of PKCS12
71f0849 
Add fallback LegacyPKCS12TripleDESEncryption for compatibility with
The Past(tm)
alex
alex previously approved these changes May 2, 2022
View reviewed changes
@alex alex enabled auto-merge (squash) May 2, 2022 18:20
@alex alex disabled auto-merge May 2, 2022 18:20
@alex alex enabled auto-merge (squash) May 2, 2022 18:21
@reaperhulk
Copy link
Member Author

Looks like boringssl needs to implement the weird NID mapping to PBES2 choice that OpenSSL added if we want to support this. See: https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/pkcs8/pkcs8.c#492

@davidben is there another way to use PBES2 + AES-256-CBC?

@davidben
Copy link
Contributor

davidben commented May 3, 2022

It's been a while since I'd looked at this, so I don't remember the details (and am currently sick so limited time to dig into it). I think that TODO was about switching the KDF from hmacWithSHA1. Looks like you all are looking to do something about the encryption part?

But anyway, I probably only implemented the subset that anyone (you all, I imagine :-) ) were using at the time, because it was simplest, not so much because we didn't want that mechanism. If you need that feature, happy to take a patch for it.

@reaperhulk reaperhulk mentioned this pull request May 9, 2022
Closed
@reaperhulk reaperhulk closed this Aug 23, 2022
auto-merge was automatically disabled August 23, 2022 05:17

Pull request was closed

@reaperhulk reaperhulk deleted the pkcs12-serialization branch September 5, 2022 21:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alex alex alex approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AES256 support for PKCS#12
3 participants
@reaperhulk @davidben @alex