diff --git a/.github/workflows/keyfactor-starter-workflow.yml b/.github/workflows/keyfactor-starter-workflow.yml index 0093d2c..a4649f2 100644 --- a/.github/workflows/keyfactor-starter-workflow.yml +++ b/.github/workflows/keyfactor-starter-workflow.yml @@ -11,7 +11,7 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@3.1.1 + uses: keyfactor/actions/.github/workflows/starter.yml@3.1.2 secrets: token: ${{ secrets.V2BUILDTOKEN}} APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} diff --git a/CHANGELOG.md b/CHANGELOG.md index 79bf273..25bb0ce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +v2.9.1 +- Bug Fix: Use AES encryption when creating PKCS12 files instead of less secure defaults + v2.9.0 - Modify Discovery on Linux servers to filter out ignored folders when searching using the Find command rather than eliminating them after. This was done to eliminate permissions errors. - Deprecated isRSAPrivateKey custom property on RFPEM certificate store type. Integration now reads the existing private key to determin if it is formatted as PKCS#1 or PKCS#8 and, on renewal, keeps the format the same. For new PEM certificate stores/certificates, PKCS#8 will always be used. PLEASE NOTE, for existing certificate stores that already have isRSAPrivateKey defined, this setting will be ignored. diff --git a/README.md b/README.md index 01c08d7..12606b9 100644 --- a/README.md +++ b/README.md @@ -50,12 +50,15 @@ Please refer to the READMEs for each supported store type for more information o |-----|-----|------| |Orchestrated Server hosting certificate store(s) on remote Windows server|WinRM connection | SSH connection | |Orchestrated Server hosting certificate store(s) on remote Linux server| SSH connection | SSH connection | -|Certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | +|Certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | + +Note: when creating, adding certificates to, or removing certificates from any store managed by RemoteFile, the destination store file will be recreated. When this occurs current AES encryption algorithms will be used for affected certificates and certificate store files. The Remote File Universal Orchestrator extension implements 6 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. Descriptions of each are provided below.
RFJKS (RFJKS) + ### RFJKS The RFJKS store type can be used to manage java keystores of types JKS or PKCS12. If creating a new java keystore and adding a certificate all via Keyfactor Command, the created java keystore will be of type PKCS12, as java keystores of type JKS have been deprecated as of JDK 9. @@ -68,6 +71,7 @@ Use cases supported:
RFPEM (RFPEM) + ### RFPEM The RFPEM store type can be used to manage PEM encoded files. @@ -84,6 +88,7 @@ NOTE: PEM stores may only have one private key (internal or external) associated
RFPkcs12 (RFPkcs12) + ### RFPkcs12 The RFPkcs12 store type can be used to manage any PKCS#12 compliant file format INCLUDING java keystores of type PKCS12. @@ -101,6 +106,7 @@ Use cases not supported:
RFDER (RFDER) + ### RFDER The RFDER store type can be used to manage DER encoded files. @@ -112,6 +118,7 @@ Use cases supported:
RFKDB (RFKDB) + ### RFKDB The RFKDB store type can be used to manage IBM Key Database Files (KDB) files. The IBM utility, GSKCAPICMD, is used to read and write certificates from and to the target store and is therefore required to be installed on the server where each KDB certificate store being managed resides, and its location MUST be in the system $Path. @@ -124,6 +131,7 @@ Use cases supported:
RFORA (RFORA) + ### RFORA The RFORA store type can be used to manage Pkcs12 Oracle Wallets. Please note that while this should work for Pkcs12 Oracle Wallets installed on both Windows and Linux servers, this has only been tested on wallets installed on Windows. Please note, when entering the Store Path for an Oracle Wallet in Keyfactor Command, make sure to INCLUDE the eWallet.p12 file name that by convention is the name of the Pkcs12 wallet file that gets created. @@ -319,7 +327,7 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store | IsTrustStore | Trust Store | The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key. | Bool | false | 🔲 Unchecked | | IncludesChain | Store Includes Chain | The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it. | Bool | false | 🔲 Unchecked | | SeparatePrivateKeyFilePath | Separate Private Key File Location | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'. | String | | 🔲 Unchecked | - | IgnorePrivateKeyOnInventory | Ignore Private Key On Inventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to ignore the private key during inventory, which will make the store inventory-only and return all certificates without private key entries. Example: 'true' to ignore the private key or 'false' to include it. | Bool | false | 🔲 Unchecked | + | IgnorePrivateKeyOnInventory | Ignore Private Key On Inventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it. | Bool | false | 🔲 Unchecked | The Custom Fields tab should look like this: @@ -610,7 +618,7 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store | --------- | ----------- | ----------- | ----------- | | Older than `11.0.0` | | | `net6.0` | | Between `11.0.0` and `11.5.1` (inclusive) | `net6.0` | | `net6.0` | - | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Never` | `net6.0` | + | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `Disable` | `net6.0` | | Between `11.0.0` and `11.5.1` (inclusive) | `net8.0` | `LatestMajor` | `net8.0` | | `11.6` _and_ newer | `net8.0` | | `net8.0` | @@ -865,7 +873,7 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store | IsTrustStore | The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key. | | IncludesChain | The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it. | | SeparatePrivateKeyFilePath | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'. | - | IgnorePrivateKeyOnInventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to ignore the private key during inventory, which will make the store inventory-only and return all certificates without private key entries. Example: 'true' to ignore the private key or 'false' to include it. | + | IgnorePrivateKeyOnInventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it. | | Store Password | Password used to secure the Certificate Store. For stores with PKCS#8 private keys, set the password for encrypted private keys (BEGIN ENCRYPTED PRIVATE KEY) or 'No Value' for unencrypted private keys (BEGIN PRIVATE KEY). If managing a store with a PKCS#1 private key (BEGIN RSA PRIVATE KEY), this value MUST be set to 'No Value' | @@ -914,7 +922,7 @@ The Remote File Universal Orchestrator extension implements 6 Certificate Store | IsTrustStore | The IsTrustStore field should contain a boolean value ('true' or 'false') indicating whether the store will be identified as a trust store, which can hold multiple certificates without private keys. Example: 'true' for a trust store or 'false' for a store with a single certificate and private key. | | IncludesChain | The IncludesChain field should contain a boolean value ('true' or 'false') indicating whether the certificate store includes the full certificate chain along with the end entity certificate. Example: 'true' to include the full chain or 'false' to exclude it. | | SeparatePrivateKeyFilePath | The SeparatePrivateKeyFilePath field should contain the full path and file name where the separate private key file will be stored if it is to be kept outside the main certificate file. Example: '/path/to/privatekey.pem'. | - | IgnorePrivateKeyOnInventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to ignore the private key during inventory, which will make the store inventory-only and return all certificates without private key entries. Example: 'true' to ignore the private key or 'false' to include it. | + | IgnorePrivateKeyOnInventory | The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it. | | Store Password | Password used to secure the Certificate Store. For stores with PKCS#8 private keys, set the password for encrypted private keys (BEGIN ENCRYPTED PRIVATE KEY) or 'No Value' for unencrypted private keys (BEGIN PRIVATE KEY). If managing a store with a PKCS#1 private key (BEGIN RSA PRIVATE KEY), this value MUST be set to 'No Value' | @@ -1410,7 +1418,7 @@ If running as an agent (accessing stores on the server where the Universal Orche ## Developer Notes -The Remote File Orchestrator Extension is meant to be extended to be used for other file based certificate store types than the ones referenced above. The advantage to extending this integration rather than creating a new one is that the configuration, remoting, and Inventory/Management/Discovery logic is already written. The developer needs to only implement a few classes and write code to convert the destired file based store to a common format. This section describes the steps necessary to add additional store/file types. Please note that familiarity with the [.Net Core BouncyCastle cryptography library](https://github.com/bcgit/bc-csharp) is a prerequisite for adding additional supported file/store types. +The Remote File Orchestrator Extension is designed to be highly extensible, enabling its use with various file-based certificate stores beyond the specific implementations currently referenced above. The advantage to extending this integration rather than creating a new one is that the configuration, remoting, and Inventory/Management/Discovery logic is already written. The developer needs to only implement a few classes and write code to convert the destired file based store to a common format. This section describes the steps necessary to add additional store/file types. Please note that familiarity with the [.Net Core BouncyCastle cryptography library](https://github.com/bcgit/bc-csharp) is a prerequisite for adding additional supported file/store types. Steps to create a new supported file based certificate store type: diff --git a/RemoteFile/ImplementedStoreTypes/PKCS12/PKCS12CertificateStoreSerializer.cs b/RemoteFile/ImplementedStoreTypes/PKCS12/PKCS12CertificateStoreSerializer.cs index 2b159f9..a66e9e6 100644 --- a/RemoteFile/ImplementedStoreTypes/PKCS12/PKCS12CertificateStoreSerializer.cs +++ b/RemoteFile/ImplementedStoreTypes/PKCS12/PKCS12CertificateStoreSerializer.cs @@ -12,10 +12,13 @@ using Keyfactor.Extensions.Orchestrator.RemoteFile.Models; using Org.BouncyCastle.Pkcs; +using Org.BouncyCastle.Asn1.Pkcs; + using Keyfactor.Logging; using Microsoft.Extensions.Logging; using System.Linq; using Keyfactor.PKI.Extensions; +using Org.BouncyCastle.Asn1.Nist; namespace Keyfactor.Extensions.Orchestrator.RemoteFile.PKCS12 { @@ -53,6 +56,10 @@ public Pkcs12Store DeserializeRemoteCertificateStore(byte[] storeContents, strin public List SerializeRemoteCertificateStore(Pkcs12Store certificateStore, string storePath, string storeFileName, string storePassword, IRemoteHandler remoteHandler) { Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder(); + storeBuilder.SetCertAlgorithm(PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc); + storeBuilder.SetKeyAlgorithm(NistObjectIdentifiers.IdAes256Cbc, PkcsObjectIdentifiers.IdHmacWithSha256); + storeBuilder.SetUseDerEncoding(true); + Pkcs12Store workingStore = storeBuilder.Build(); foreach (string alias in certificateStore.Aliases) @@ -88,6 +95,10 @@ public string GetPrivateKeyPath() private Pkcs12Store ConvertAliases(Pkcs12Store workingStore, bool useThumbprintAsAlias) { Pkcs12StoreBuilder storeBuilder = new Pkcs12StoreBuilder(); + storeBuilder.SetCertAlgorithm(PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc); + storeBuilder.SetKeyAlgorithm(NistObjectIdentifiers.IdAes256Cbc, PkcsObjectIdentifiers.IdHmacWithSha256); + storeBuilder.SetUseDerEncoding(true); + Pkcs12Store returnStore = storeBuilder.Build(); if (HasEmptyAliases) diff --git a/docsource/content.md b/docsource/content.md index 7220e7e..9f8611e 100644 --- a/docsource/content.md +++ b/docsource/content.md @@ -21,6 +21,8 @@ Please refer to the READMEs for each supported store type for more information o |Orchestrated Server hosting certificate store(s) on remote Linux server| SSH connection | SSH connection | |Certificate store(s) on same server as orchestrator service (Agent)| WinRM connection or local file system | SSH connection or local file system | +Note: when creating, adding certificates to, or removing certificates from any store managed by RemoteFile, the destination store file will be recreated. When this occurs current AES encryption algorithms will be used for affected certificates and certificate store files. + ## Requirements diff --git a/integration-manifest.json b/integration-manifest.json index 986b2ad..afa8b43 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -200,7 +200,7 @@ "DependsOn": "", "Type": "Bool", "DefaultValue": "false", - "Description": "The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to ignore the private key during inventory, which will make the store inventory-only and return all certificates without private key entries. Example: 'true' to ignore the private key or 'false' to include it." + "Description": "The IgnorePrivateKeyOnInventory field should contain a boolean value ('true' or 'false') indicating whether to disregard the private key during inventory. Setting this to 'true' will allow inventory for the store without needing to supply the location of the private key or the password if the key is encrypted. However, doing this makes the store in effect inventory-only and no management jobs will be able to be run for this store. Example: 'true' to ignore the private key or 'false' to include it." } ], "EntryParameters": [], @@ -540,4 +540,4 @@ ] } } -} +} \ No newline at end of file