Open jstaf opened 1 week ago
@jstaf, thanks for your interest in trust-manager and for opening this issue! 👋 trust-manager uses go-pkcs12 to encode PKCS#12 truststores, and we have discussed making the encoding configurable already. Do you think any of the provided encoders can support your FIPS requirement?
The relevant code is here: https://github.com/cert-manager/trust-manager/blob/6fb237bf546640d58d294ab99cbb862932d1a1e5/pkg/bundle/internal/truststore/types.go#L92-L108 Do you want to submit a PR making the encoder configurable?
We support multiple PKCS12 encodings in cert-manager, we could also introduce it in trust-manager: https://github.com/cert-manager/cert-manager/blob/e1a1ea959aa23ed72d9d7614b34d58ef420ad1d2/pkg/apis/certmanager/v1/types_certificate.go#L521
I agree with @inteon and @erikgb - I think the Modern encoder might do the trick here, but I don't have an environment to be able ot test.
@jstaf - are you able to share some details of how you set up your Java env for this? Or a link to docs or something? At the moment, it would be tricky for us to test a fix for this.
trust-manager's .p12 certificates cannot be loaded on systems that enforce FIPS. Example CA bundle:
And on a FIPS-enabled system, Java cannot load the ca-bundle.p12 certificate:
trust-manager should have an option to change the PKCS12 algorithm (not sure if I'm using the right words here to describe things) to a certificate format compatible with FIPS.