From b84da4c22637b8a74b69be5df1131485a7df8733 Mon Sep 17 00:00:00 2001 From: Lee Fine Date: Tue, 5 Nov 2024 20:26:24 +0000 Subject: [PATCH 01/11] ab#64984 --- CHANGELOG.md | 3 +++ .../PKCS12/PKCS12CertificateStoreSerializer.cs | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 79bf273..ce0aacb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +v2.9.1 +- Big Fix: Use AES encryption when creating Pkcs12 files + v2.9.0 - Modify Discovery on Linux servers to filter out ignored folders when searching using the Find command rather than eliminating them after. This was done to eliminate permissions errors. - Deprecated isRSAPrivateKey custom property on RFPEM certificate store type. Integration now reads the existing private key to determin if it is formatted as PKCS#1 or PKCS#8 and, on renewal, keeps the format the same. For new PEM certificate stores/certificates, PKCS#8 will always be used. PLEASE NOTE, for existing certificate stores that already have isRSAPrivateKey defined, this setting will be ignored. diff --git a/RemoteFile/ImplementedStoreTypes/PKCS12/PKCS12CertificateStoreSerializer.cs b/RemoteFile/ImplementedStoreTypes/PKCS12/PKCS12CertificateStoreSerializer.cs index 2b159f9..a66e9e6 100644 --- a/RemoteFile/ImplementedStoreTypes/PKCS12/PKCS12CertificateStoreSerializer.cs +++ b/RemoteFile/ImplementedStoreTypes/PKCS12/PKCS12CertificateStoreSerializer.cs @@ -12,10 +12,13 @@ using Keyfactor.Extensions.Orchestrator.RemoteFile.Models; using Org.BouncyCastle.Pkcs; +using Org.BouncyCastle.Asn1.Pkcs; + using Keyfactor.Logging; using Microsoft.Extensions.Logging; using System.Linq; using Keyfactor.PKI.Extensions; +using Org.BouncyCastle.Asn1.Nist; namespace Keyfactor.Extensions.Orchestrator.RemoteFile.PKCS12 { @@ -53,6 +56,10 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContents, strin public List SerializeRemoteCertificateStore(Pkcs12Store certificateStore, string storePath, string storeFileName, string storePassword, IRemoteHandler remoteHandler) { Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder(); + storeBuilder.SetCertAlgorithm(PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc); + storeBuilder.SetKeyAlgorithm(NistObjectIdentifiers.IdAes256Cbc, PkcsObjectIdentifiers.IdHmacWithSha256); + storeBuilder.SetUseDerEncoding(true); + Pkcs12Store workingStore = storeBuilder.Build(); foreach (string alias in certificateStore.Aliases) @@ -88,6 +95,10 @@ public string GetPrivateKeyPath() private Pkcs12Store ConvertAliases(Pkcs12Store workingStore, bool useThumbprintAsAlias) { Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder(); + storeBuilder.SetCertAlgorithm(PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc); + storeBuilder.SetKeyAlgorithm(NistObjectIdentifiers.IdAes256Cbc, PkcsObjectIdentifiers.IdHmacWithSha256); + storeBuilder.SetUseDerEncoding(true); + Pkcs12Store returnStore = storeBuilder.Build(); if (HasEmptyAliases) From 890d2c935c199e1015994ccda2fc4760ef95288a Mon Sep 17 00:00:00 2001 From: Lee Fine Date: Tue, 5 Nov 2024 20:49:13 +0000 Subject: [PATCH 02/11] ab#64984 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ce0aacb..4f68731 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ v2.9.1 -- Big Fix: Use AES encryption when creating Pkcs12 files +- Bug Fix: Use AES encryption when creating PKCS12 files instead of less secure defaults v2.9.0 - Modify Discovery on Linux servers to filter out ignored folders when searching using the Find command rather than eliminating them after. This was done to eliminate permissions errors. From ba5cf3fa374104900a8874e77669bc79fc6959e9 Mon Sep 17 00:00:00 2001 From: Lee Fine Date: Wed, 6 Nov 2024 18:46:47 +0000 Subject: [PATCH 03/11] ab#64984 --- docsource/content.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docsource/content.md b/docsource/content.md index 7220e7e..400cab0 100644 --- a/docsource/content.md +++ b/docsource/content.md @@ -21,6 +21,8 @@ Please refer to the READMEs for each supported store type for more information o |Orchestrated Server hosting certificate store(s) on remote Linux server| SSH connection | SSH connection | |Certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | +Note: when creating, adding certificates to, or removing certificates from any store managed by RemoteFile, the destination store will be recreated. When this occurs current AES encryption algorithms will be used for affected certificates and certificate store files. + ## Requirements From 0a185b70711e9b9f7a1d3204e911d4905cbe9240 Mon Sep 17 00:00:00 2001 From: Lee Fine Date: Wed, 6 Nov 2024 19:10:34 +0000 Subject: [PATCH 04/11] ab#64984 --- docsource/content.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docsource/content.md b/docsource/content.md index 400cab0..9f8611e 100644 --- a/docsource/content.md +++ b/docsource/content.md @@ -21,7 +21,7 @@ Please refer to the READMEs for each supported store type for more information o |Orchestrated Server hosting certificate store(s) on remote Linux server| SSH connection | SSH connection | |Certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | -Note: when creating, adding certificates to, or removing certificates from any store managed by RemoteFile, the destination store will be recreated. When this occurs current AES encryption algorithms will be used for affected certificates and certificate store files. +Note: when creating, adding certificates to, or removing certificates from any store managed by RemoteFile, the destination store file will be recreated. When this occurs current AES encryption algorithms will be used for affected certificates and certificate store files. ## Requirements From f5e8ba39b32ef2ac1a780cadb3d73e3b1c2b225a Mon Sep 17 00:00:00 2001 From: Lee Fine Date: Tue, 12 Nov 2024 19:59:59 +0000 Subject: [PATCH 05/11] ab#64984 --- .github/workflows/keyfactor-starter-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index 0093d2c..cde271b 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -11,7 +11,7 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@3.1.1 + uses: keyfactor/actions/.github/workflows/starter.yml@3.2 secrets: token: ${{ secrets.V2BUILDTOKEN}} APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} From aeddcc2b6a5ac7e21c965d7fbcf2c74cd4fa6ba9 Mon Sep 17 00:00:00 2001 From: Lee Fine Date: Tue, 12 Nov 2024 20:03:54 +0000 Subject: [PATCH 06/11] ab#64984 --- .github/workflows/keyfactor-starter-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index cde271b..a4649f2 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -11,7 +11,7 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@3.2 + uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2 secrets: token: ${{ secrets.V2BUILDTOKEN}} APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} From 2daae6b4b9a36be31f1b9250d4a4bcdd73669932 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 12 Nov 2024 20:05:20 +0000 Subject: [PATCH 07/11] Update generated docs --- README.md | 12 ++++++++++-- integration-manifest.json | 2 +- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 01c08d7..7fb9cb2 100644 --- a/README.md +++ b/README.md @@ -50,12 +50,15 @@ Please refer to the READMEs for each supported store type for more information o |-----|-----|------| |Orchestrated Server hosting certificate store(s) on remote Windows server|WinRM connection | SSH connection | |Orchestrated Server hosting certificate store(s) on remote Linux server| SSH connection | SSH connection | -|Certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | +|Certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | + +Note: when creating, adding certificates to, or removing certificates from any store managed by RemoteFile, the destination store file will be recreated. When this occurs current AES encryption algorithms will be used for affected certificates and certificate store files. The Remote File Universal Orchestrator extension implements 6 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. Descriptions of each are provided below.
RFJKS (RFJKS) + ### RFJKS The RFJKS store type can be used to manage java keystores of types JKS or PKCS12. If creating a new java keystore and adding a certificate all via Keyfactor Command, the created java keystore will be of type PKCS12, as java keystores of type JKS have been deprecated as of JDK 9. @@ -68,6 +71,7 @@ Use cases supported:
RFPEM (RFPEM) + ### RFPEM The RFPEM store type can be used to manage PEM encoded files. @@ -84,6 +88,7 @@ NOTE: PEM stores may only have one private key (internal or external) associated
RFPkcs12 (RFPkcs12) + ### RFPkcs12 The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. @@ -101,6 +106,7 @@ Use cases not supported:
RFDER (RFDER) + ### RFDER The RFDER store type can be used to manage DER encoded files. @@ -112,6 +118,7 @@ Use cases supported:
RFKDB (RFKDB) + ### RFKDB The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. @@ -124,6 +131,7 @@ Use cases supported:
RFORA (RFORA) + ### RFORA The RFORA store type can be used to manage Pkcs12 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. @@ -1410,7 +1418,7 @@ If running as an agent (accessing stores on the server where the Universal Orche ## Developer Notes -The Remote File Orchestrator Extension is meant to be extended to be used for other file based certificate store types than the ones referenced above. The advantage to extending this integration rather than creating a new one is that the configuration, remoting, and Inventory/Management/Discovery logic is already written. The developer needs to only implement a few classes and write code to convert the destired file based store to a common format. This section describes the steps necessary to add additional store/file types. Please note that familiarity with the [.Net Core BouncyCastle cryptography library](https://github.com/bcgit/bc-csharp) is a prerequisite for adding additional supported file/store types. +The Remote File Orchestrator Extension is designed to be highly extensible, enabling its use with various file-based certificate stores beyond the specific implementations currently referenced above. The advantage to extending this integration rather than creating a new one is that the configuration, remoting, and Inventory/Management/Discovery logic is already written. The developer needs to only implement a few classes and write code to convert the destired file based store to a common format. This section describes the steps necessary to add additional store/file types. Please note that familiarity with the [.Net Core BouncyCastle cryptography library](https://github.com/bcgit/bc-csharp) is a prerequisite for adding additional supported file/store types. Steps to create a new supported file based certificate store type: diff --git a/integration-manifest.json b/integration-manifest.json index 986b2ad..1bce01f 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -540,4 +540,4 @@ ] } } -} +} \ No newline at end of file From 0c2aa0579ed2adb1f153159aaa8e37ec94793efa Mon Sep 17 00:00:00 2001 From: Lee Fine <50836957+leefine02@users.noreply.github.com> Date: Mon, 25 Nov 2024 16:23:33 -0500 Subject: [PATCH 08/11] ab#64984 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f68731..25bb0ce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -v2.9.1 +v2.9.1 - Bug Fix: Use AES encryption when creating PKCS12 files instead of less secure defaults v2.9.0 From 51f7b7451b494f747016579b7f9d7ce6b8d2960e Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Mon, 25 Nov 2024 21:24:52 +0000 Subject: [PATCH 09/11] Update generated docs --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7fb9cb2..7c06cd4 100644 --- a/README.md +++ b/README.md @@ -618,7 +618,7 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store | --------- | ----------- | ----------- | ----------- | | Older than `11.0.0` | | | `net6.0` | | Between `11.0.0` and `11.5.1` (inclusive) | `net6.0` | | `net6.0` | - | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Never` | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` | | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` | | `11.6` _and_ newer | `net8.0` | | `net8.0` | From 3a145cb214e57e62cb5fb046ce9f14a1e81a0cb8 Mon Sep 17 00:00:00 2001 From: Lee Fine Date: Tue, 26 Nov 2024 13:50:39 +0000 Subject: [PATCH 10/11] ab#64984 --- integration-manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration-manifest.json b/integration-manifest.json index 986b2ad..c2d82b7 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -200,7 +200,7 @@ "DependsOn": "", "Type": "Bool", "DefaultValue": "false", - "Description": "The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to ignore the private key during inventory, which will make the store inventory-only and return all certificates without private key entries. Example: 'true' to ignore the private key or 'false' to include it." + "Description": "The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it." } ], "EntryParameters": [], From afe616ff8256704d6f636c02ea77ae0ec6c36b2e Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Tue, 26 Nov 2024 13:52:04 +0000 Subject: [PATCH 11/11] Update generated docs --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7c06cd4..12606b9 100644 --- a/README.md +++ b/README.md @@ -327,7 +327,7 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store | IsTrustStore | Trust Store | The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key. | Bool | false | 🔲 Unchecked | | IncludesChain | Store Includes Chain | The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it. | Bool | false | 🔲 Unchecked | | SeparatePrivateKeyFilePath | Separate Private Key File Location | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'. | String | | 🔲 Unchecked | - | IgnorePrivateKeyOnInventory | Ignore Private Key On Inventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to ignore the private key during inventory, which will make the store inventory-only and return all certificates without private key entries. Example: 'true' to ignore the private key or 'false' to include it. | Bool | false | 🔲 Unchecked | + | IgnorePrivateKeyOnInventory | Ignore Private Key On Inventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it. | Bool | false | 🔲 Unchecked | The Custom Fields tab should look like this: @@ -873,7 +873,7 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store | IsTrustStore | The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key. | | IncludesChain | The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it. | | SeparatePrivateKeyFilePath | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'. | - | IgnorePrivateKeyOnInventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to ignore the private key during inventory, which will make the store inventory-only and return all certificates without private key entries. Example: 'true' to ignore the private key or 'false' to include it. | + | IgnorePrivateKeyOnInventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it. | | Store Password | Password used to secure the Certificate Store. For stores with PKCS#8 private keys, set the password for encrypted private keys (BEGIN ENCRYPTED PRIVATE KEY) or 'No Value' for unencrypted private keys (BEGIN PRIVATE KEY). If managing a store with a PKCS#1 private key (BEGIN RSA PRIVATE KEY), this value MUST be set to 'No Value' | @@ -922,7 +922,7 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store | IsTrustStore | The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key. | | IncludesChain | The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it. | | SeparatePrivateKeyFilePath | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'. | - | IgnorePrivateKeyOnInventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to ignore the private key during inventory, which will make the store inventory-only and return all certificates without private key entries. Example: 'true' to ignore the private key or 'false' to include it. | + | IgnorePrivateKeyOnInventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it. | | Store Password | Password used to secure the Certificate Store. For stores with PKCS#8 private keys, set the password for encrypted private keys (BEGIN ENCRYPTED PRIVATE KEY) or 'No Value' for unencrypted private keys (BEGIN PRIVATE KEY). If managing a store with a PKCS#1 private key (BEGIN RSA PRIVATE KEY), this value MUST be set to 'No Value' |