From 8223df9e9146a95237726c21d242cd7a8ecf6c88 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Wed, 3 Jan 2024 13:45:02 +0100 Subject: [PATCH] rename Algorithms to Profile Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- deploy/crds/crd-certificates.yaml | 14 ++++++------- .../apis/certmanager/types_certificate.go | 12 +++++------ .../certmanager/v1/zz_generated.conversion.go | 4 ++-- .../certmanager/v1alpha2/types_certificate.go | 12 +++++------ .../v1alpha2/zz_generated.conversion.go | 4 ++-- .../certmanager/v1alpha3/types_certificate.go | 12 +++++------ .../v1alpha3/zz_generated.conversion.go | 4 ++-- .../certmanager/v1beta1/types_certificate.go | 12 +++++------ .../v1beta1/zz_generated.conversion.go | 4 ++-- pkg/apis/certmanager/v1/types_certificate.go | 12 +++++------ .../certificates/issuing/internal/keystore.go | 20 +++++++++---------- .../issuing/internal/keystore_test.go | 16 +++++++-------- .../certificates/issuing/internal/secret.go | 6 +++--- 13 files changed, 66 insertions(+), 66 deletions(-) diff --git a/deploy/crds/crd-certificates.yaml b/deploy/crds/crd-certificates.yaml index f01736f42..0f3c250e8 100644 --- a/deploy/crds/crd-certificates.yaml +++ b/deploy/crds/crd-certificates.yaml @@ -153,13 +153,6 @@ spec: - create - passwordSecretRef properties: - algorithms: - description: "Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret." - type: string - enum: - - LegacyRC2 - - LegacyDES - - Modern2023 create: description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority type: boolean @@ -175,6 +168,13 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string + profile: + description: "Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret." + type: string + enum: + - LegacyRC2 + - LegacyDES + - Modern2023 literalSubject: description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components." type: string diff --git a/internal/apis/certmanager/types_certificate.go b/internal/apis/certmanager/types_certificate.go index 497630f9d..ca79c2305 100644 --- a/internal/apis/certmanager/types_certificate.go +++ b/internal/apis/certmanager/types_certificate.go @@ -411,7 +411,7 @@ type PKCS12Keystore struct { // containing the password used to encrypt the PKCS12 keystore. PasswordSecretRef cmmeta.SecretKeySelector - // Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm + // Profile specifies the key and certificate encryption algorithms and the HMAC algorithm // used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. // // If provided, allowed values are: @@ -420,20 +420,20 @@ type PKCS12Keystore struct { // `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms // (eg. because of company policy). Please note that the security of the algorithm is not that important // in reality, because the unencrypted certificate and private key are also stored in the Secret. - Algorithms PKCS12Algorithms + Profile PKCS12Profile } -type PKCS12Algorithms string +type PKCS12Profile string const ( // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2 - LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2" + LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2" // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES - LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES" + LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES" // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023 - Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023" + Modern2023PKCS12Profile PKCS12Profile = "Modern2023" ) // CertificateStatus defines the observed state of Certificate diff --git a/internal/apis/certmanager/v1/zz_generated.conversion.go b/internal/apis/certmanager/v1/zz_generated.conversion.go index c0d895615..271c19db2 100644 --- a/internal/apis/certmanager/v1/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1/zz_generated.conversion.go @@ -1330,7 +1330,7 @@ func autoConvert_v1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *v1.PKCS12Ke if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil { return err } - out.Algorithms = certmanager.PKCS12Algorithms(in.Algorithms) + out.Profile = certmanager.PKCS12Profile(in.Profile) return nil } @@ -1344,7 +1344,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1_PKCS12Keystore(in *certmanager if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil { return err } - out.Algorithms = v1.PKCS12Algorithms(in.Algorithms) + out.Profile = v1.PKCS12Profile(in.Profile) return nil } diff --git a/internal/apis/certmanager/v1alpha2/types_certificate.go b/internal/apis/certmanager/v1alpha2/types_certificate.go index 942b544a9..4b38debf7 100644 --- a/internal/apis/certmanager/v1alpha2/types_certificate.go +++ b/internal/apis/certmanager/v1alpha2/types_certificate.go @@ -333,7 +333,7 @@ type PKCS12Keystore struct { // containing the password used to encrypt the PKCS12 keystore. PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"` - // Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm + // Profile specifies the key and certificate encryption algorithms and the HMAC algorithm // used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. // // If provided, allowed values are: @@ -343,21 +343,21 @@ type PKCS12Keystore struct { // (eg. because of company policy). Please note that the security of the algorithm is not that important // in reality, because the unencrypted certificate and private key are also stored in the Secret. // +optional - Algorithms PKCS12Algorithms `json:"algorithms,omitempty"` + Profile PKCS12Profile `json:"profile,omitempty"` } // +kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023 -type PKCS12Algorithms string +type PKCS12Profile string const ( // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2 - LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2" + LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2" // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES - LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES" + LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES" // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023 - Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023" + Modern2023PKCS12Profile PKCS12Profile = "Modern2023" ) // CertificateStatus defines the observed state of Certificate diff --git a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go index d392e63c7..12ce7a290 100644 --- a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go @@ -1336,7 +1336,7 @@ func autoConvert_v1alpha2_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS1 if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil { return err } - out.Algorithms = certmanager.PKCS12Algorithms(in.Algorithms) + out.Profile = certmanager.PKCS12Profile(in.Profile) return nil } @@ -1350,7 +1350,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1alpha2_PKCS12Keystore(in *certm if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil { return err } - out.Algorithms = PKCS12Algorithms(in.Algorithms) + out.Profile = PKCS12Profile(in.Profile) return nil } diff --git a/internal/apis/certmanager/v1alpha3/types_certificate.go b/internal/apis/certmanager/v1alpha3/types_certificate.go index d9e341cbc..f7d3e5446 100644 --- a/internal/apis/certmanager/v1alpha3/types_certificate.go +++ b/internal/apis/certmanager/v1alpha3/types_certificate.go @@ -341,7 +341,7 @@ type PKCS12Keystore struct { PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"` - // Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm + // Profile specifies the key and certificate encryption algorithms and the HMAC algorithm // used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. // // If provided, allowed values are: @@ -351,21 +351,21 @@ type PKCS12Keystore struct { // (eg. because of company policy). Please note that the security of the algorithm is not that important // in reality, because the unencrypted certificate and private key are also stored in the Secret. // +optional - Algorithms PKCS12Algorithms `json:"algorithms,omitempty"` + Profile PKCS12Profile `json:"profile,omitempty"` } // +kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023 -type PKCS12Algorithms string +type PKCS12Profile string const ( // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2 - LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2" + LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2" // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES - LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES" + LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES" // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023 - Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023" + Modern2023PKCS12Profile PKCS12Profile = "Modern2023" ) // CertificateStatus defines the observed state of Certificate diff --git a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go index 70c7a36ce..bee6c9b60 100644 --- a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go @@ -1335,7 +1335,7 @@ func autoConvert_v1alpha3_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS1 if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil { return err } - out.Algorithms = certmanager.PKCS12Algorithms(in.Algorithms) + out.Profile = certmanager.PKCS12Profile(in.Profile) return nil } @@ -1349,7 +1349,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1alpha3_PKCS12Keystore(in *certm if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil { return err } - out.Algorithms = PKCS12Algorithms(in.Algorithms) + out.Profile = PKCS12Profile(in.Profile) return nil } diff --git a/internal/apis/certmanager/v1beta1/types_certificate.go b/internal/apis/certmanager/v1beta1/types_certificate.go index b576345d0..9153a164f 100644 --- a/internal/apis/certmanager/v1beta1/types_certificate.go +++ b/internal/apis/certmanager/v1beta1/types_certificate.go @@ -338,7 +338,7 @@ type PKCS12Keystore struct { // containing the password used to encrypt the PKCS12 keystore. PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"` - // Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm + // Profile specifies the key and certificate encryption algorithms and the HMAC algorithm // used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. // // If provided, allowed values are: @@ -348,21 +348,21 @@ type PKCS12Keystore struct { // (eg. because of company policy). Please note that the security of the algorithm is not that important // in reality, because the unencrypted certificate and private key are also stored in the Secret. // +optional - Algorithms PKCS12Algorithms `json:"algorithms,omitempty"` + Profile PKCS12Profile `json:"profile,omitempty"` } // +kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023 -type PKCS12Algorithms string +type PKCS12Profile string const ( // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2 - LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2" + LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2" // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES - LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES" + LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES" // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023 - Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023" + Modern2023PKCS12Profile PKCS12Profile = "Modern2023" ) // CertificateStatus defines the observed state of Certificate diff --git a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go index fbe929a02..942521a0a 100644 --- a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go @@ -1318,7 +1318,7 @@ func autoConvert_v1beta1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS12 if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil { return err } - out.Algorithms = certmanager.PKCS12Algorithms(in.Algorithms) + out.Profile = certmanager.PKCS12Profile(in.Profile) return nil } @@ -1332,7 +1332,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1beta1_PKCS12Keystore(in *certma if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil { return err } - out.Algorithms = PKCS12Algorithms(in.Algorithms) + out.Profile = PKCS12Profile(in.Profile) return nil } diff --git a/pkg/apis/certmanager/v1/types_certificate.go b/pkg/apis/certmanager/v1/types_certificate.go index 4acd37394..7c9ae81e6 100644 --- a/pkg/apis/certmanager/v1/types_certificate.go +++ b/pkg/apis/certmanager/v1/types_certificate.go @@ -462,7 +462,7 @@ type PKCS12Keystore struct { // containing the password used to encrypt the PKCS12 keystore. PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"` - // Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm + // Profile specifies the key and certificate encryption algorithms and the HMAC algorithm // used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. // // If provided, allowed values are: @@ -472,21 +472,21 @@ type PKCS12Keystore struct { // (eg. because of company policy). Please note that the security of the algorithm is not that important // in reality, because the unencrypted certificate and private key are also stored in the Secret. // +optional - Algorithms PKCS12Algorithms `json:"algorithms,omitempty"` + Profile PKCS12Profile `json:"profile,omitempty"` } // +kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023 -type PKCS12Algorithms string +type PKCS12Profile string const ( // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2 - LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2" + LegacyRC2PKCS12Profile PKCS12Profile = "LegacyRC2" // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES - LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES" + LegacyDESPKCS12Profile PKCS12Profile = "LegacyDES" // see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023 - Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023" + Modern2023PKCS12Profile PKCS12Profile = "Modern2023" ) // CertificateStatus defines the observed state of Certificate diff --git a/pkg/controller/certificates/issuing/internal/keystore.go b/pkg/controller/certificates/issuing/internal/keystore.go index 72c3b85f1..286a2d75a 100644 --- a/pkg/controller/certificates/issuing/internal/keystore.go +++ b/pkg/controller/certificates/issuing/internal/keystore.go @@ -39,7 +39,7 @@ import ( // If the certificate data contains multiple certificates, the first will be used // as the keystores 'certificate' and the remaining certificates will be prepended // to the list of CAs in the resulting keystore. -func encodePKCS12Keystore(algorithms cmapi.PKCS12Algorithms, password string, rawKey []byte, certPem []byte, caPem []byte) ([]byte, error) { +func encodePKCS12Keystore(profile cmapi.PKCS12Profile, password string, rawKey []byte, certPem []byte, caPem []byte) ([]byte, error) { key, err := pki.DecodePrivateKeyBytes(rawKey) if err != nil { return nil, err @@ -61,19 +61,19 @@ func encodePKCS12Keystore(algorithms cmapi.PKCS12Algorithms, password string, ra cas = append(certs[1:], cas...) } - switch algorithms { - case cmapi.Modern2023PKCS12Algorithms: + switch profile { + case cmapi.Modern2023PKCS12Profile: return pkcs12.Modern2023.Encode(key, certs[0], cas, password) - case cmapi.LegacyDESPKCS12Algorithms: + case cmapi.LegacyDESPKCS12Profile: return pkcs12.LegacyDES.Encode(key, certs[0], cas, password) - case cmapi.LegacyRC2PKCS12Algorithms: + case cmapi.LegacyRC2PKCS12Profile: return pkcs12.LegacyRC2.Encode(key, certs[0], cas, password) default: return pkcs12.LegacyRC2.Encode(key, certs[0], cas, password) } } -func encodePKCS12Truststore(algorithms cmapi.PKCS12Algorithms, password string, caPem []byte) ([]byte, error) { +func encodePKCS12Truststore(profile cmapi.PKCS12Profile, password string, caPem []byte) ([]byte, error) { ca, err := pki.DecodeX509CertificateBytes(caPem) if err != nil { return nil, err @@ -81,12 +81,12 @@ func encodePKCS12Truststore(algorithms cmapi.PKCS12Algorithms, password string, var cas = []*x509.Certificate{ca} - switch algorithms { - case cmapi.Modern2023PKCS12Algorithms: + switch profile { + case cmapi.Modern2023PKCS12Profile: return pkcs12.Modern2023.EncodeTrustStore(cas, password) - case cmapi.LegacyDESPKCS12Algorithms: + case cmapi.LegacyDESPKCS12Profile: return pkcs12.LegacyDES.EncodeTrustStore(cas, password) - case cmapi.LegacyRC2PKCS12Algorithms: + case cmapi.LegacyRC2PKCS12Profile: return pkcs12.LegacyRC2.EncodeTrustStore(cas, password) default: return pkcs12.LegacyRC2.EncodeTrustStore(cas, password) diff --git a/pkg/controller/certificates/issuing/internal/keystore_test.go b/pkg/controller/certificates/issuing/internal/keystore_test.go index 987c22b0a..aae66cc8d 100644 --- a/pkg/controller/certificates/issuing/internal/keystore_test.go +++ b/pkg/controller/certificates/issuing/internal/keystore_test.go @@ -312,8 +312,8 @@ func TestEncodePKCS12Keystore(t *testing.T) { } for name, test := range tests { t.Run(name, func(t *testing.T) { - for _, algorithm := range []cmapi.PKCS12Algorithms{"", cmapi.LegacyRC2PKCS12Algorithms, cmapi.LegacyDESPKCS12Algorithms, cmapi.Modern2023PKCS12Algorithms} { - out, err := encodePKCS12Keystore(algorithm, test.password, test.rawKey, test.certPEM, test.caPEM) + for _, profile := range []cmapi.PKCS12Profile{"", cmapi.LegacyRC2PKCS12Profile, cmapi.LegacyDESPKCS12Profile, cmapi.Modern2023PKCS12Profile} { + out, err := encodePKCS12Keystore(profile, test.password, test.rawKey, test.certPEM, test.caPEM) test.verify(t, out, err) } }) @@ -323,8 +323,8 @@ func TestEncodePKCS12Keystore(t *testing.T) { var emptyCAChain []byte = nil chain := mustLeafWithChain(t) - for _, algorithm := range []cmapi.PKCS12Algorithms{"", cmapi.LegacyRC2PKCS12Algorithms, cmapi.LegacyDESPKCS12Algorithms, cmapi.Modern2023PKCS12Algorithms} { - out, err := encodePKCS12Keystore(algorithm, password, chain.leaf.keyPEM, chain.all.certsToPEM(), emptyCAChain) + for _, profile := range []cmapi.PKCS12Profile{"", cmapi.LegacyRC2PKCS12Profile, cmapi.LegacyDESPKCS12Profile, cmapi.Modern2023PKCS12Profile} { + out, err := encodePKCS12Keystore(profile, password, chain.leaf.keyPEM, chain.all.certsToPEM(), emptyCAChain) require.NoError(t, err) pkOut, certOut, caChain, err := pkcs12.DecodeChain(out, password) @@ -344,8 +344,8 @@ func TestEncodePKCS12Keystore(t *testing.T) { require.NoError(t, err) chain := mustLeafWithChain(t) - for _, algorithm := range []cmapi.PKCS12Algorithms{"", cmapi.LegacyRC2PKCS12Algorithms, cmapi.LegacyDESPKCS12Algorithms, cmapi.Modern2023PKCS12Algorithms} { - out, err := encodePKCS12Keystore(algorithm, password, chain.leaf.keyPEM, chain.all.certsToPEM(), caChainInPEM) + for _, profile := range []cmapi.PKCS12Profile{"", cmapi.LegacyRC2PKCS12Profile, cmapi.LegacyDESPKCS12Profile, cmapi.Modern2023PKCS12Profile} { + out, err := encodePKCS12Keystore(profile, password, chain.leaf.keyPEM, chain.all.certsToPEM(), caChainInPEM) require.NoError(t, err) pkOut, certOut, caChainOut, err := pkcs12.DecodeChain(out, password) @@ -393,8 +393,8 @@ func TestEncodePKCS12Truststore(t *testing.T) { } for name, test := range tests { t.Run(name, func(t *testing.T) { - for _, algorithm := range []cmapi.PKCS12Algorithms{"", cmapi.LegacyRC2PKCS12Algorithms, cmapi.LegacyDESPKCS12Algorithms, cmapi.Modern2023PKCS12Algorithms} { - out, err := encodePKCS12Truststore(algorithm, test.password, test.caPEM) + for _, profile := range []cmapi.PKCS12Profile{"", cmapi.LegacyRC2PKCS12Profile, cmapi.LegacyDESPKCS12Profile, cmapi.Modern2023PKCS12Profile} { + out, err := encodePKCS12Truststore(profile, test.password, test.caPEM) test.verify(t, test.caPEM, out, err) } }) diff --git a/pkg/controller/certificates/issuing/internal/secret.go b/pkg/controller/certificates/issuing/internal/secret.go index d83efe365..68d49648b 100644 --- a/pkg/controller/certificates/issuing/internal/secret.go +++ b/pkg/controller/certificates/issuing/internal/secret.go @@ -258,8 +258,8 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec return fmt.Errorf("PKCS12 keystore password Secret contains no data for key %q", ref.Key) } pw := pwSecret.Data[ref.Key] - algorithms := crt.Spec.Keystores.PKCS12.Algorithms - keystoreData, err := encodePKCS12Keystore(algorithms, string(pw), data.PrivateKey, data.Certificate, data.CA) + profile := crt.Spec.Keystores.PKCS12.Profile + keystoreData, err := encodePKCS12Keystore(profile, string(pw), data.PrivateKey, data.Certificate, data.CA) if err != nil { return fmt.Errorf("error encoding PKCS12 bundle: %w", err) } @@ -267,7 +267,7 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec secret.Data[cmapi.PKCS12SecretKey] = keystoreData if len(data.CA) > 0 { - truststoreData, err := encodePKCS12Truststore(algorithms, string(pw), data.CA) + truststoreData, err := encodePKCS12Truststore(profile, string(pw), data.CA) if err != nil { return fmt.Errorf("error encoding PKCS12 trust store bundle: %w", err) }