search

cert-manager / trust-manager

trust-manager is an operator for distributing trust bundles across a Kubernetes cluster.
https://cert-manager.io/docs/projects/trust-manager/
Apache License 2.0
252 stars 67 forks source link

PKCS12 certificates cannot be used in FIPS environments #457

Open jstaf opened 1 week ago

jstaf commented 1 week ago

trust-manager's .p12 certificates cannot be loaded on systems that enforce FIPS. Example CA bundle:

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: ca-bundle
spec:
  sources:
  - useDefaultCAs: true
  target:
    additionalFormats:
      pkcs12:
        key: ca-bundle.p12
        password: ""
    namespaceSelector:
      matchLabels:
        trust-manager/ca-bundle: enabled
    secret:
      key: ca-bundle.pem

And on a FIPS-enabled system, Java cannot load the ca-bundle.p12 certificate:

java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithSHA1AndRC2_40
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)

trust-manager should have an option to change the PKCS12 algorithm (not sure if I'm using the right words here to describe things) to a certificate format compatible with FIPS.

erikgb commented 1 week ago

@jstaf, thanks for your interest in trust-manager and for opening this issue! 👋 trust-manager uses go-pkcs12 to encode PKCS#12 truststores, and we have discussed making the encoding configurable already. Do you think any of the provided encoders can support your FIPS requirement?

The relevant code is here: https://github.com/cert-manager/trust-manager/blob/6fb237bf546640d58d294ab99cbb862932d1a1e5/pkg/bundle/internal/truststore/types.go#L92-L108 Do you want to submit a PR making the encoder configurable?

inteon commented 1 week ago

We support multiple PKCS12 encodings in cert-manager, we could also introduce it in trust-manager: https://github.com/cert-manager/cert-manager/blob/e1a1ea959aa23ed72d9d7614b34d58ef420ad1d2/pkg/apis/certmanager/v1/types_certificate.go#L521

SgtCoDFish commented 1 week ago

I agree with @inteon and @erikgb - I think the Modern encoder might do the trick here, but I don't have an environment to be able ot test.

@jstaf - are you able to share some details of how you set up your Java env for this? Or a link to docs or something? At the moment, it would be tricky for us to test a fix for this.