Allow saving PKCS12 using TripleDES-SHA1 instead of AES

kaikramer / keystore-explorer

KeyStore Explorer is a free GUI replacement for the Java command-line utilities keytool and jarsigner.

https://keystore-explorer.org/

GNU General Public License v3.0

1.7k stars 275 forks source link

Allow saving PKCS12 using TripleDES-SHA1 instead of AES #335

Closed sethrandall closed 1 year ago

sethrandall commented 2 years ago

There appears to be no way to save a PKCS12 and specify TripleDES-SHA1 as the encryption type which appears to be the only supported type on Server 2012R2.

Can you add an option to select the encryption type?

Importing into a newer version of Windows and then exporting using the Certificate Manager export wizard allows the selection, but I prefer to do my management through KES.

kaikramer commented 2 years ago

The algorithm for encrypting the PKCS#12 content is determined by the Java runtime. You didn't fill out the required information for the ticket, so I don't know which Java version you are using right now, but in general try to use an older Java version.

The following two tickets describe the same problem and contain more information about what which Java versions you can use to get the old (and unsecure) algorithms: https://github.com/kaikramer/keystore-explorer/issues/308 https://github.com/kaikramer/keystore-explorer/issues/318

I am currently working on improving the PKCS#12 support in KSE in general and this compatibility issue is certainly on my radar. I'll leave this ticket open as a feature request for future KSE releases.

jpstotz commented 2 years ago

Shouldn't it be sufficient to set the system property keystore.pkcs12.legacy? According to the OpenJDK PKCS12 source code this should change the used algorithm to PBEWithSHA1AndDESede.

Edit: It definitely works. Starting kse using java -Dkeystore.pkcs12.legacy -jar kse.jar and creating a PKCS12 store creates one with pbeWithSHAAnd3-KeyTripleDES-CBC encrypted content. And according to the Java source code it should be possible to change the system property at run-time as it is not checked only once to allow kse to either save PKCS12 in old or new encryption format. I know this is not a nice solution but it should work (if the JRE/JDK supports it). For checking if the property works the only real solution is in my opinion to try it out: create a dummy PKCS12 one time with and one time without and see if they differ.

kaikramer commented 2 years ago

@jpstotz Thanks! I will add an option in the preferences for this in the next release.