Default openssl pkcs12 does not work with provider certificate auth

[hawksight]

PROBLEM SUMMARY

When using a p12 certificate bundle generated using openssl with pretty much default values, the provider for Venafi fails with:

Failed to build config for Venafi issuer: failed converting PKCS#12 archive file to PEM blocks: pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1

STEPS TO REPRODUCE

1. Generate CSR and get a cert back from your CA:

openssl req -newkey rsa:4096 -addext "extendedKeyUsage = clientAuth" -keyout certs/automation-gc.key -out certs/automation-gc.csr

1. Create a pkcs12 from the cert + key + CAs required for your environment.

openssl pkcs12 -export -inkey certs/automation-gc.key -in certs/automation-gc.crt -certfile certs/cas.crt -out certs/automation-gc.p12

1. Configure the Terraform Venafi provider to use that .p12

provider "venafi" {
  url                             = var.venafi_url
  p12_cert_filename  = "/Users/peter.fiddes/temp/terraform-jwt-tpp/certs/automation-gc.p12"
  p12_cert_password = "example"
  client_id                    = var.venafi_client_id
}

1. Run a plan such as: TF_LOG=debug tf plan -out plan

EXPECTED RESULTS

That the plan works to exchange the cert for an access token and complete the required resource planning.

ACTUAL RESULTS

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Failed to initialize Venafi client
│
│   with provider["registry.terraform.io/venafi/venafi"],
│   on main.tf line 1, in provider "venafi":
│    1: provider "venafi" {
│
│ Failed to build config for Venafi issuer: failed converting PKCS#12 archive file to PEM blocks: pkcs12: unknown digest algorithm:
│ 2.16.840.1.101.3.4.2.1

Screenshot in debug mode:

ENVIRONMENT DETAILS

• Venafi latest provider, v0.21.1
• Terraform version:

Terraform v1.9.5
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v6.7.0
+ provider registry.terraform.io/venafi/venafi v0.21.1

Your version of Terraform is out of date! The latest version
is 1.9.8. You can update by downloading from https://www.terraform.io/downloads.html

COMMENTS/WORKAROUNDS

I found that if I did another p12 conversion from the same CA, Key and PEM Cert file, but this time using -legacy that the generated file did work:

# Recreate the pkcs12 with legacy option - changes algorithm
openssl pkcs12 -export -inkey certs/automation-gc.key -in certs/automation-gc.crt -certfile certs/cas.crt -out certs/automation-gc-legacy.p12 -legacy

When running plan with this, it does seem to work with the p12, but leads me to another issue / error:

provider "venafi" {
  url          = var.venafi_url
  # Use Legacy
  p12_cert_filename = "./certs/automation-gc-legacy.p12"
  p12_cert_password = "example"
  client_id         = var.venafi_client_id
}

Plan output:

2024-10-29T11:43:33.220Z [INFO]  provider.terraform-provider-venafi_v0.21.1: Setting up TLS Configuration: @module=venafi tf_provider_addr=registry.terraform.io/Venafi/venafi tf_req_id=d9cd46c9-2189-7293-69cd-fcb0778e096e tf_rpc=Configure @caller=/jenkins/workspace/VCert/terraform-provider-venafi/venafi/provider.go:388 timestamp=2024-10-29T11:43:33.220Z
2024-10-29T11:43:33.357Z [INFO]  provider.terraform-provider-venafi_v0.21.1: vCert: Got 200 OK status for GET https://demo-1.tpp.peter-fiddes-gcp.jetstacker.net/vedsdk/: timestamp=2024-10-29T11:43:33.357Z
2024-10-29T11:43:33.357Z [INFO]  provider.terraform-provider-venafi_v0.21.1: PFX certificate provided for authentication, getting access token: tf_req_id=d9cd46c9-2189-7293-69cd-fcb0778e096e tf_rpc=Configure @caller=/jenkins/workspace/VCert/terraform-provider-venafi/venafi/provider.go:446 @module=venafi tf_provider_addr=registry.terraform.io/Venafi/venafi timestamp=2024-10-29T11:43:33.357Z
2024-10-29T11:43:33.522Z [INFO]  provider.terraform-provider-venafi_v0.21.1: vCert: Got 400 Bad Request status for POST https://demo-1.tpp.peter-fiddes-gcp.jetstacker.net/vedauth/authorize/certificate: timestamp=2024-10-29T11:43:33.521Z
2024-10-29T11:43:33.522Z [ERROR] provider.terraform-provider-venafi_v0.21.1: Response contains error diagnostic: diagnostic_severity=ERROR @module=sdk.proto diagnostic_detail="Failed to authenticate to Venafi platform: unexpected status code on TPP Authorize. Status: 400 Bad Request" tf_provider_addr=registry.terraform.io/Venafi/venafi tf_req_id=d9cd46c9-2189-7293-69cd-fcb0778e096e tf_rpc=Configure @caller=/go/pkg/mod/github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_summary="Failed to initialize Venafi client" tf_proto_version=5.4 timestamp=2024-10-29T11:43:33.522Z
2024-10-29T11:43:33.523Z [ERROR] vertex "provider[\"registry.terraform.io/venafi/venafi\"]" error: Failed to initialize Venafi client
2024-10-29T11:43:33.524Z [WARN]  Planning encountered errors, so plan is not applyable
2024-10-29T11:43:33.524Z [INFO]  backend/local: plan operation completed
2024-10-29T11:43:33.524Z [INFO]  backend/local: writing plan output to: plan

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Failed to initialize Venafi client
│
│   with provider["registry.terraform.io/venafi/venafi"],
│   on main.tf line 1, in provider "venafi":
│    1: provider "venafi" {
│
│ Failed to authenticate to Venafi platform: unexpected status code on TPP Authorize. Status: 400 Bad Request
╵
2024-10-29T11:43:33.543Z [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-10-29T11:43:33.544Z [INFO]  provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/venafi/venafi/0.21.1/darwin_arm64/terraform-provider-venafi_v0.21.1 id=56915
2024-10-29T11:43:33.544Z [DEBUG] provider: plugin exited

Solution for this will be posted in followup issue. Screenshot to show it is now past the pkcs12 file reading part.

We believe the issue to be here. Switching to another library may work even if the same function is deprecated there too.