grid-proxy-init w/OpenSSL 3.x: Weakly encrypted PKCS#12 keystores can't be processed #202
Description
Problem
On Rocky Linux 9 a PKCS#12 keystore produced with either OpenSSL 1.1.1f or Firefox 106.0.2 (both on Ubuntu 20.04) cannot be processed by grid-proxy-init:
[johndoe@rockylinux-9 .globus]$ ls -la
total 1608
drwx------. 3 johndoe johndoe 190 Nov 11 15:59 .
drwx------. 4 johndoe johndoe 138 Nov 11 16:09 ..
drwxr-xr-x. 2 johndoe johndoe 36864 Mar 10 2022 certificates
-rw-------. 1 johndoe johndoe 5619 Nov 7 16:28 usercred-from-firefox-106.0.2.p12
-rw-------. 1 johndoe johndoe 4373 Nov 7 16:31 usercred-from-openssl-1.1.1f.p12
-rw-------. 1 johndoe johndoe 4515 Nov 7 17:44 usercred-from-openssl-3.0.1.p12
lrwxrwxrwx. 1 johndoe johndoe 32 Nov 11 15:59 usercred.p12 -> usercred-from-openssl-1.1.1f.p12
[johndoe@rockylinux-9 .globus]$ grid-proxy-init -version
globus_proxy_utils-7.3
[johndoe@rockylinux-9 .globus]$ openssl version
OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)
[johndoe@rockylinux-9 .globus]$ grid-proxy-init
Enter GRID pass phrase for this identity:
Error: Couldn't read in PKCS12 credential from file: /home/johndoe/.globus/usercred.p12
Use -debug for further information.
[johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug
User Cert File: /home/johndoe/.globus/usercred.p12
User Key File: /home/johndoe/.globus/usercred.p12
Trusted CA Cert Dir: (null)
Output File: /tmp/x509up_u1000
Enter GRID pass phrase for this identity:
Error: Couldn't read in PKCS12 credential from file: /home/johndoe/.globus/usercred.p12
grid_proxy_init.c:712: globus_credential: Error reading user credential: Couldn't unpack the PKCS12 safebags from the PKCS7 credential
OpenSSL Error: crypto/evp/evp_fetch.c:349: in library: digital envelope routines, function (null): unsupported Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
This is due to:
- The "weak" 40 bit RC2 encryption still used for parts or the whole of a PKCS#12 keystore per default for still common software like OpenSSL 1.1.1f and Firefox 106.0.2:
[johndoe@rockylinux-9 .globus]$ openssl pkcs12 -in usercred-from-firefox-106.0.2.p12 -info -nokeys -nocerts
Enter Import Password:
MAC: sha1, Iteration 600000
MAC length: 20, salt length: 16
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 600000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 600000
Error outputting keys and certificates
80EB9B4C1F7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
[johndoe@rockylinux-9 .globus]$ openssl pkcs12 -in usercred-from-openssl-1.1.1f.p12 -info -nokeys -nocerts -legacy
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
- OpenSSL 3.x refusing to process such a PKCS#12 keystore without using legacy functionality (i.e. using the
-provider legacyswitch)
For more details about the security of PKCS#12 keystores when not using OpenSSL 3.x for creation please refer to the following URL: