Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-9441

Implement support for a keystore using FIPS compliant algorithms

    Details

    • Provenance:
      Ordered by Customer
    • Issue discovered during:
      Customer

      Description

      The P12 files you get from EJBCA are created using Bouncy Castle like this:

      final KeyStore store = KeyStore.getInstance("PKCS12", BouncyCastleProvider.PROVIDER_NAME);
      

      Bouncy Castle uses 3-DES for key protection and 40 bit RC2 to protect the certificates by default. These ciphers are not great by today's standards and if would be nice if we could use AES instead. Currently, there is no option in EJBCA to configure how P12 files are created, or what kind of encryption is used.

      If my understanding is correct, even though the PKCS#12 format itself allows other types of encryption, some clients (e.g. Windows) do not support AES for P12 keystores. However, using 3-DES for both certificates and the private key should be widely supported and would work on FIPS as well:

      final KeyStore store = KeyStore.getInstance("PKCS12-3DES-3DES", BouncyCastleProvider.PROVIDER_NAME);
      

      Bouncy Castle also has their own "FIPS compliant" P12 keystore, and that could be offered as an alternative to the 3-DES P12 keystore. I need to investigate (i.e. ask David) how this is archieved in Bouncy Castle. Example code is available in BC-FJA 1.0.2 (Bouncy Castle FIPS Java API) - User Guide, section 7.1.1 - BCFKS key store.

      I have two customers who have offered their help to test if the new keystore is compatible with their systems.

      Implementation

      Create a new branch fb-ECA-9441-pkcs12-fips
      Add a method KeyTools.createFipsCompliantP12 which creates a FIPS compliant PKCS#12 keystore using Bouncy Castle.
      Create a new token type called BCFKS.
      Invoke this method in RaMasterApiProxyBean.generateKeystore, KeyStoreCreateSessionBean.generateKeyStore and BatchMakeP12Command.createKeysForUser.
      Harden existing P12 keystores using PKCS12-3DES-3DES.
      Add REST API support

      Test

      Configure BCFKS token type in an end entity profile. Test issuance using the RA web
      Open the P12 keystore in Portecle.

      Command that can be used to test a keystore in OpenSSL and print some information about it.

      > openssl pkcs12 -in keystore.p12 -info -noout
      Enter Import Password:
      MAC: sha1, Iteration 102400
      MAC length: 20, salt length: 20
      PKCS7 Data
      Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 51200
      PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 51200
      Certificate bag
      Certificate bag
      

      Customer test

      Send sample P12 files to Sven,

      Documentation

      Update the "End Entity Profiles Fields" page in the documentation. "Token type" is currently not documented at all, so we would have to add some documentation for existing token types as well.

      http://confluence.primekey.com/display/EJBCADS/.End+Entity+Profiles+Fields+v7.5.0

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              bastianf Bastian Fredriksson
              Reporter:
              bastianf Bastian Fredriksson
              Verified by:
              Samuel Lidén Borell
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 2 days Original Estimate - 2 days
                  2d
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 days, 3 hours, 5 minutes
                  3d 3h 5m