From 5c9ceb000483dd59d8500483fbd270820e18364f Mon Sep 17 00:00:00 2001 From: Peter Chen Date: Thu, 21 Dec 2023 14:39:33 +0800 Subject: [PATCH 1/2] Delete unnecessary use of openssl legacy mode - As the original PR (https://github.com/pivotal/credhub-release/pull/66) and commit message explain, this legacy mode is only needed when using java 8. Since we have upgrade to java 17. This legacy mode is no longer needed. [#186629315] --- jobs/credhub/templates/init_key_stores.erb | 9 +-------- spec/credhub/init_key_stores_spec.rb | 2 +- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/jobs/credhub/templates/init_key_stores.erb b/jobs/credhub/templates/init_key_stores.erb index 9cc987d4..9f4a5e0f 100644 --- a/jobs/credhub/templates/init_key_stores.erb +++ b/jobs/credhub/templates/init_key_stores.erb @@ -51,13 +51,6 @@ cat > ${PRIVATE_KEY_FILE} < EOL -# legacy option is needed for openssl 3 + openjdk8 see https://github.com/pivotal/credhub-release/issues/65 -if openssl version | grep -q 3.0; then - LEGACY="-legacy" -else - LEGACY="" -fi - # Use Fips 140-2 compatible encryption algorithm if [ -f "/proc/sys/crypto/fips_enabled" ]; then FIPS_OPTS="-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES" @@ -68,7 +61,7 @@ fi if [ -s ${CERT_FILE} ]; then - RANDFILE=/etc/sv/monit/.rnd openssl pkcs12 ${LEGACY} -export -in ${CERT_FILE} ${FIPS_OPTS} -inkey ${PRIVATE_KEY_FILE} -out cert.p12 -name ${CERT_ALIAS} \ + RANDFILE=/etc/sv/monit/.rnd openssl pkcs12 -export -in ${CERT_FILE} ${FIPS_OPTS} -inkey ${PRIVATE_KEY_FILE} -out cert.p12 -name ${CERT_ALIAS} \ -password pass:k0*l*s3cur1tyr0ck$ ${JAVA_HOME}/bin/keytool -importkeystore \ diff --git a/spec/credhub/init_key_stores_spec.rb b/spec/credhub/init_key_stores_spec.rb index 21259bca..9722a205 100644 --- a/spec/credhub/init_key_stores_spec.rb +++ b/spec/credhub/init_key_stores_spec.rb @@ -34,7 +34,7 @@ it 'loads the TLS certificate' do script = template.render(manifest) - expect(script).to include('openssl pkcs12 ${LEGACY} -export -in') + expect(script).to include('openssl pkcs12 -export -in') end context 'when trusted CAs are provided' do From 6646c26d078274aa06765eb1f9a4178ae931d0c7 Mon Sep 17 00:00:00 2001 From: Peter Chen Date: Thu, 21 Dec 2023 15:08:51 +0800 Subject: [PATCH 2/2] Fix pre-start.erb for Jammy FIPS stemcell (#174) - algorithm "PBE-SHA1-3DES" is not available on FIPS Jammy (OpenSSL 3.0.2 / Ubuntu 22.04.3 LTS), error: ``` Error creating PKCS12 structure for cert.p12 error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (PKCS12KDF : 0), Properties () error:1180006B:PKCS12 routines:PKCS12_PBE_keyivgen_ex:key gen error:../crypto/pkcs12/p12_crpt.c:55: error:11800067:PKCS12 routines:PKCS12_item_i2d_encrypt_ex:encrypt error:../crypto/pkcs12/p12_decr.c:191: error:11800067:PKCS12 routines:PKCS12_pack_p7encdata_ex:encrypt error:../crypto/pkcs12/p12_add.c:127: ``` - so use the "-nomac" option instead as recommended on https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html#NOTES - see a similar fix in uaa-release: https://github.com/cloudfoundry/uaa-release/commit/5a57378ca65998e62b9562626c960fd9c0487b52 [#186629315] --- jobs/credhub/templates/init_key_stores.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/jobs/credhub/templates/init_key_stores.erb b/jobs/credhub/templates/init_key_stores.erb index 9f4a5e0f..04237dfa 100644 --- a/jobs/credhub/templates/init_key_stores.erb +++ b/jobs/credhub/templates/init_key_stores.erb @@ -51,10 +51,10 @@ cat > ${PRIVATE_KEY_FILE} < EOL -# Use Fips 140-2 compatible encryption algorithm +# Use Fips-compatible option(s) if [ -f "/proc/sys/crypto/fips_enabled" ]; then - FIPS_OPTS="-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES" - echo "Using Fips 140-2 compatible encryption algorithm PBE-SHA1-3DES to package cert and key with pkcs12" + FIPS_OPTS="-nomac" + echo "Using Fips-compatible option(s) to package cert and key with pkcs12" else FIPS_OPTS="" fi