Use PBES2 with PBKDF2 and AES-256-CBC for PKCS#12 keystores

Venafi / vcert

Go client SDK and command line utility designed to simplify integrations by automating key generation and certificate enrollment using Venafi machine identity services.

https://support.venafi.com/hc/en-us/articles/217991528

Apache License 2.0

90 stars 63 forks source link

Use PBES2 with PBKDF2 and AES-256-CBC for PKCS#12 keystores #412

Closed tr1ck3r closed 10 months ago

tr1ck3r commented 10 months ago

Update password-based encryption algorithms for PKCS#12 keystores to modern level. Should be compatible with OpenSSL 1.1.1 and higher, Java 12 and higher, and Windows Server 2019 and higher. (See https://github.com/SSLMate/go-pkcs12/blob/master/pkcs12.go#L139-L165)

tr1ck3r commented 10 months ago

I've added a new --format legacy-pkcs12 option that retains the ability to generate PKCS#12 keystores using the weak algorithms. This is consistent with the approach that was previously taken with PEM (i.e., --format pem for current/strong; --format legacy-pem for legacy/weak).