grid-proxy-init w/OpenSSL 3.x: Weakly encrypted PKCS#12 keystores can't be processed

[fscheiner]

Problem

On Rocky Linux 9 a PKCS#12 keystore produced with either OpenSSL 1.1.1f or Firefox 106.0.2 (both on Ubuntu 20.04) cannot be processed by grid-proxy-init:

[johndoe@rockylinux-9 .globus]$ ls -la
total 1608
drwx------. 3 johndoe johndoe     190 Nov 11 15:59 .
drwx------. 4 johndoe johndoe     138 Nov 11 16:09 ..
drwxr-xr-x. 2 johndoe johndoe   36864 Mar 10  2022 certificates
-rw-------. 1 johndoe johndoe    5619 Nov  7 16:28 usercred-from-firefox-106.0.2.p12
-rw-------. 1 johndoe johndoe    4373 Nov  7 16:31 usercred-from-openssl-1.1.1f.p12
-rw-------. 1 johndoe johndoe    4515 Nov  7 17:44 usercred-from-openssl-3.0.1.p12
lrwxrwxrwx. 1 johndoe johndoe      32 Nov 11 15:59 usercred.p12 -> usercred-from-openssl-1.1.1f.p12

[johndoe@rockylinux-9 .globus]$ grid-proxy-init -version
globus_proxy_utils-7.3

[johndoe@rockylinux-9 .globus]$ openssl version
OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)

[johndoe@rockylinux-9 .globus]$ grid-proxy-init
Enter GRID pass phrase for this identity:
Error: Couldn't read in PKCS12 credential from file: /home/johndoe/.globus/usercred.p12

Use -debug for further information.
[johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug

User Cert File: /home/johndoe/.globus/usercred.p12
User Key File: /home/johndoe/.globus/usercred.p12

Trusted CA Cert Dir: (null)

Output File: /tmp/x509up_u1000
Enter GRID pass phrase for this identity:
Error: Couldn't read in PKCS12 credential from file: /home/johndoe/.globus/usercred.p12

       grid_proxy_init.c:712: globus_credential: Error reading user credential: Couldn't unpack the PKCS12 safebags from the PKCS7 credential
OpenSSL Error: crypto/evp/evp_fetch.c:349: in library: digital envelope routines, function (null): unsupported Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

This is due to:

1. The "weak" 40 bit RC2 encryption still used for parts or the whole of a PKCS#12 keystore per default for still common software like OpenSSL 1.1.1f and Firefox 106.0.2:

   
   [johndoe@rockylinux-9 .globus]$ openssl pkcs12 -in usercred-from-firefox-106.0.2.p12 -info -nokeys -nocerts
   Enter Import Password:
   MAC: sha1, Iteration 600000
   MAC length: 20, salt length: 16
   PKCS7 Data
   Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 600000
   PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 600000
   Error outputting keys and certificates
   80EB9B4C1F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

[johndoe@rockylinux-9 .globus]$ openssl pkcs12 -in usercred-from-openssl-1.1.1f.p12 -info -nokeys -nocerts -legacy Enter Import Password: MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

2. OpenSSL 3.x refusing to process such a PKCS#12 keystore without using legacy functionality (i.e. using the `-provider legacy` switch)

****

For more details about the security of PKCS#12 keystores when not using OpenSSL 3.x for creation please refer to the following URL:

* https://unmitigatedrisk.com/?p=543

[fscheiner]

Workarounds

• Recreate your weakly encrypted PKCS#12 keystore with OpenSSL 3.x which uses much more secure defaults for encryption of PKCS#12 keystores and its contents
• Convert your weakly encrypted PKCS#12 keystore with OpenSSL 3.x as per https://stackoverflow.com/questions/72598983/curl-openssl-error-error0308010cdigital-envelope-routinesunsupported/72600724#72600724
• For older versions of OpenSSL make use of more secure encryption algorithms during creation:

OpenSSL version	1.1.1f
Command	Use openssl pkcs12 -export [...] -keypbe AES-256-CBC -certpbe AES-256-CBC -macalg SHA256 to use the same encryption and MAC as OpenSSL 3.0's default
Result	MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256 Certificate bag PKCS7 Data Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Command	Use openssl pkcs12 -export [...] -certpbe PBE-SHA1-3DES to use the defaults of OpenSSL 1.1.1f but also encrypt the cert with 3-Key-TripleDES allowing OpenSSL 3.0 to work with this keystore without the need for -legacy
Result	MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

OpenSSL version	1.0.2k
Command	Use openssl pkcs12 -export [...] -keypbe AES-256-CBC -certpbe AES-256-CBC -macalg SHA256 to use the same encryption and MAC as OpenSSL 3.0's default except for the HMAC which is still done with SHA1
Result	MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA1 Certificate bag PKCS7 Data Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA1