JiriOndrusek commented on PR #5485: URL: https://github.com/apache/camel-quarkus/pull/5485#issuecomment-1797963475
> > > Do you happen to know what aspect of the generated keystore is not FIPS-compliant with keytool-maven-plugin? At the first sight, the plugin mojos seem to support all we need: keysize, keyalgorithm, storetype... > > > > > > I probably mislead a little bit with my comment. It is possible to run successfully the `keytool-maven-plugin`, but I haven't found a way of generating such strong certificates to satisfy runtime in FIPS. > > I remember seeing some not-supported algorithms for signing or similar, when I was trying to use keystore only. I don't remember the detail but will save them during investigation of other FIPS issues. > > This sounds like an answer: https://stackoverflow.com/a/50398011 > > > PKCS#12 stores the private key encrypted with a password derived key. It looks like keytool uses pbeWithSHAAnd128BitRC2-CBC (pkcs-12PbeIds 5), an PBES1 algorithm for doing so. Even the keytool.exe of Oracle Java 9 does use this algorithm as you can verify by uploading a .p12 file to the online ASN.1 decoder decoding a sample PKCS#12 file. > > If I read the [PKCS#12 standard](https://www.rfc-editor.org/rfc/rfc7292) correctly PBES1 was long ago superseeded by the "newer" version of the key derivation system named "PBES2" (mostly PBKDF2 based) with should be used instead. But keytool does not make use of it. This is my interpretation of the error message. > > Therefore the certificate and the key may be acceptable, but the PKCS#12 container is not acceptable. You may try to extract key and certificate and save them in a new PKCS#12 file using a current software like OpenSSL (or you simply generate the whole PKCS#12 file directly using OpenSSL). Thanks for the explanation. I can confirm the behavior, as I tried JKS keystores at first, but they are not accepted by FIPS-enabled system. I had to move to PKCS12 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@camel.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
