Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rewrite test certificates using more modern algorithms #661

Merged
merged 1 commit into from Dec 30, 2022
Merged

Rewrite test certificates using more modern algorithms #661

merged 1 commit into from Dec 30, 2022

Conversation

panicgh
Copy link
Contributor

@panicgh panicgh commented Dec 11, 2022

I tried to read the test certificate with openssl 3.0.7, which initially failed. I'm not an expert in openssl and pkcs12, but I think this solves the issue. Please review and run the unit tests.

Description

The test.p12 file use the RC2-CBC and 3DES-CBC algorithms, which are quite dated and require the -legacy option in openssl to read them.

$ openssl pkcs12 -in test.p12 -info -noout -legacy -passin pass:test
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

Rewrite the test.p12 file with a current openssl (via p12 -> pem -> p12 conversion) to use more modern algorithms which do not require legacy mode. Rewrite test.pem with a new export of test.p12.

$ openssl pkcs12 -in test.p12 -info -noout -passin pass:test
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

@panicgh
Rewrite test certificates using more modern algorithms
e124692 
The test.p12 file use the RC2-CBC and 3DES-CBC algorithms, which
are quite dated and require the `-legacy` option in openssl to read
them.

```console
$ openssl pkcs12 -in test.p12 -info -noout -legacy -passin pass:test
MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
```

Rewrite the test.p12 file with a current openssl (via p12 -> pem -> p12
conversion) to use more modern algorithms which do not require legacy
mode. Rewrite test.pem with a new export of test.p12.

```console
$ openssl pkcs12 -in test.p12 -info -noout -passin pass:test
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
```
@panicgh panicgh marked this pull request as draft December 18, 2022 13:10
@panicgh panicgh changed the base branch from master to develop December 18, 2022 13:14
@panicgh panicgh marked this pull request as ready for review December 18, 2022 13:14
@nmoinvaz nmoinvaz merged commit 0273af4 into zlib-ng:develop Dec 30, 2022
@nmoinvaz
Copy link
Member

nmoinvaz commented Jan 9, 2023

This PR appears to have caused the macOS command sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain to not return. It causes CI to eventually timeout.

@panicgh panicgh deleted the pkcs12-cert branch January 21, 2023 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@panicgh @nmoinvaz