apply PR feedback

Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>

deploy/crds/crd-certificates.yaml

@@ -153,13 +153,13 @@ spec:
                         - create
                         - passwordSecretRef
                       properties:
-                        algorithm:
-                          description: "Algorithm is the encryption algorithm used to create the PKCS12 keystore. Default value is `RC2` for backward compatibility. \n If provided, allowed values are: `RC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `DES3`: Less secure, used for maximal compatibility. `SHA256`: Preferred for security, used when indicated by policy. (PEM format also stored in Secret.)"
+                        algorithms:
+                          description: "Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure, used for maximal compatibility. `Modern2023`: Preferred for security, used when indicated by policy. PEM format also stored in Secret."
                           type: string
                           enum:
-                            - RC2
-                            - DES3
-                            - AES256
+                            - LegacyRC2
+                            - LegacyDES
+                            - Modern2023
                         create:
                           description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
                           type: boolean

internal/apis/certmanager/types_certificate.go

@@ -411,27 +411,27 @@ type PKCS12Keystore struct {
 	// containing the password used to encrypt the PKCS12 keystore.
 	PasswordSecretRef cmmeta.SecretKeySelector
 
-	// Algorithm is the encryption algorithm used to create the PKCS12 keystore.
-	// Default value is `RC2` for backward compatibility.
+	// Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm
+	// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
 	//
 	// If provided, allowed values are:
-	// `RC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
-	// `DES3`: Less secure, used for maximal compatibility.
-	// `SHA256`: Preferred for security, used when indicated by policy. (PEM format also stored in Secret.)
-	Algorithm PKCS12Algorithm
+	// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+	// `LegacyDES`: Less secure, used for maximal compatibility.
+	// `Modern2023`: Preferred for security, used when indicated by policy. PEM format also stored in Secret.
+	Algorithms PKCS12Algorithms
 }
 
-type PKCS12Algorithm string
+type PKCS12Algorithms string
 
 const (
-	// PBE with RC2 certificate algorithm, PBE with 3DES key algorithm and HMAC-SHA-1 MAC algorithm.
-	RC2PKCS12Algorithm PKCS12Algorithm = "RC2"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2
+	LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2"
 
-	// PBE with 3DES certificate and key algorithm and HMAC-SHA-1 MAC algorithm.
-	DES3PKCS12Algorithm PKCS12Algorithm = "DES3"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES
+	LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES"
 
-	// PBES2 with PBKDF2-HMAC-SHA-256 and AES-256-CBC certificate and key algorithm and HMAC-SHA-2 MAC algorithm.
-	AESPKCS12Algorithm PKCS12Algorithm = "AES256"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023
+	Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023"
 )
 
 // CertificateStatus defines the observed state of Certificate

internal/apis/certmanager/v1/zz_generated.conversion.go

@@ -1330,7 +1330,7 @@ func autoConvert_v1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *v1.PKCS12Ke
 	if err := internalapismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithm = certmanager.PKCS12Algorithm(in.Algorithm)
+	out.Algorithms = certmanager.PKCS12Algorithms(in.Algorithms)
 	return nil
 }
 
@@ -1344,7 +1344,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1_PKCS12Keystore(in *certmanager
 	if err := internalapismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithm = v1.PKCS12Algorithm(in.Algorithm)
+	out.Algorithms = v1.PKCS12Algorithms(in.Algorithms)
 	return nil
 }
 

internal/apis/certmanager/v1alpha2/types_certificate.go

@@ -333,29 +333,29 @@ type PKCS12Keystore struct {
 	// containing the password used to encrypt the PKCS12 keystore.
 	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`
 
-	// Algorithm is the encryption algorithm used to create the PKCS12 keystore.
-	// Default value is `RC2` for backward compatibility.
+	// Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm
+	// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
 	//
 	// If provided, allowed values are:
-	// `RC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
-	// `DES3`: Less secure, used for maximal compatibility.
-	// `SHA256`: Preferred for security, used when indicated by policy. (PEM format also stored in Secret.)
+	// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+	// `LegacyDES`: Less secure, used for maximal compatibility.
+	// `Modern2023`: Preferred for security, used when indicated by policy. PEM format also stored in Secret.
 	// +optional
-	Algorithm PKCS12Algorithm `json:"algorithm,omitempty"`
+	Algorithms PKCS12Algorithms `json:"algorithms,omitempty"`
 }
 
-// +kubebuilder:validation:Enum=RC2;DES3;AES256
-type PKCS12Algorithm string
+// +kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023
+type PKCS12Algorithms string
 
 const (
-	// PBE with RC2 certificate algorithm, PBE with 3DES key algorithm and HMAC-SHA-1 MAC algorithm.
-	RC2PKCS12Algorithm PKCS12Algorithm = "RC2"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2
+	LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2"
 
-	// PBE with 3DES certificate and key algorithm and HMAC-SHA-1 MAC algorithm.
-	DES3PKCS12Algorithm PKCS12Algorithm = "DES3"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES
+	LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES"
 
-	// PBES2 with PBKDF2-HMAC-SHA-256 and AES-256-CBC certificate and key algorithm and HMAC-SHA-2 MAC algorithm.
-	AESPKCS12Algorithm PKCS12Algorithm = "AES256"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023
+	Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023"
 )
 
 // CertificateStatus defines the observed state of Certificate

internal/apis/certmanager/v1alpha2/zz_generated.conversion.go

@@ -1336,7 +1336,7 @@ func autoConvert_v1alpha2_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS1
 	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithm = certmanager.PKCS12Algorithm(in.Algorithm)
+	out.Algorithms = certmanager.PKCS12Algorithms(in.Algorithms)
 	return nil
 }
 
@@ -1350,7 +1350,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1alpha2_PKCS12Keystore(in *certm
 	if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithm = PKCS12Algorithm(in.Algorithm)
+	out.Algorithms = PKCS12Algorithms(in.Algorithms)
 	return nil
 }
 

internal/apis/certmanager/v1alpha3/types_certificate.go

@@ -341,29 +341,29 @@ type PKCS12Keystore struct {
 
 	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`
 
-	// Algorithm is the encryption algorithm used to create the PKCS12 keystore.
-	// Default value is `RC2` for backward compatibility.
+	// Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm
+	// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
 	//
 	// If provided, allowed values are:
-	// `RC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
-	// `DES3`: Less secure, used for maximal compatibility.
-	// `SHA256`: Preferred for security, used when indicated by policy. (PEM format also stored in Secret.)
+	// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+	// `LegacyDES`: Less secure, used for maximal compatibility.
+	// `Modern2023`: Preferred for security, used when indicated by policy. PEM format also stored in Secret.
 	// +optional
-	Algorithm PKCS12Algorithm `json:"algorithm,omitempty"`
+	Algorithms PKCS12Algorithms `json:"algorithms,omitempty"`
 }
 
-// +kubebuilder:validation:Enum=RC2;DES3;AES256
-type PKCS12Algorithm string
+// +kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023
+type PKCS12Algorithms string
 
 const (
-	// PBE with RC2 certificate algorithm, PBE with 3DES key algorithm and HMAC-SHA-1 MAC algorithm.
-	RC2PKCS12Algorithm PKCS12Algorithm = "RC2"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2
+	LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2"
 
-	// PBE with 3DES certificate and key algorithm and HMAC-SHA-1 MAC algorithm.
-	DES3PKCS12Algorithm PKCS12Algorithm = "DES3"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES
+	LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES"
 
-	// PBES2 with PBKDF2-HMAC-SHA-256 and AES-256-CBC certificate and key algorithm and HMAC-SHA-2 MAC algorithm.
-	AESPKCS12Algorithm PKCS12Algorithm = "AES256"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023
+	Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023"
 )
 
 // CertificateStatus defines the observed state of Certificate

internal/apis/certmanager/v1alpha3/zz_generated.conversion.go

@@ -1335,7 +1335,7 @@ func autoConvert_v1alpha3_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS1
 	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithm = certmanager.PKCS12Algorithm(in.Algorithm)
+	out.Algorithms = certmanager.PKCS12Algorithms(in.Algorithms)
 	return nil
 }
 
@@ -1349,7 +1349,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1alpha3_PKCS12Keystore(in *certm
 	if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithm = PKCS12Algorithm(in.Algorithm)
+	out.Algorithms = PKCS12Algorithms(in.Algorithms)
 	return nil
 }
 

internal/apis/certmanager/v1beta1/types_certificate.go

@@ -338,29 +338,29 @@ type PKCS12Keystore struct {
 	// containing the password used to encrypt the PKCS12 keystore.
 	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`
 
-	// Algorithm is the encryption algorithm used to create the PKCS12 keystore.
-	// Default value is `RC2` for backward compatibility.
+	// Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm
+	// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
 	//
 	// If provided, allowed values are:
-	// `RC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
-	// `DES3`: Less secure, used for maximal compatibility.
-	// `SHA256`: Preferred for security, used when indicated by policy. (PEM format also stored in Secret.)
+	// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+	// `LegacyDES`: Less secure, used for maximal compatibility.
+	// `Modern2023`: Preferred for security, used when indicated by policy. PEM format also stored in Secret.
 	// +optional
-	Algorithm PKCS12Algorithm `json:"algorithm,omitempty"`
+	Algorithms PKCS12Algorithms `json:"algorithms,omitempty"`
 }
 
-// +kubebuilder:validation:Enum=RC2;DES3;AES256
-type PKCS12Algorithm string
+// +kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023
+type PKCS12Algorithms string
 
 const (
-	// PBE with RC2 certificate algorithm, PBE with 3DES key algorithm and HMAC-SHA-1 MAC algorithm.
-	RC2PKCS12Algorithm PKCS12Algorithm = "RC2"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2
+	LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2"
 
-	// PBE with 3DES certificate and key algorithm and HMAC-SHA-1 MAC algorithm.
-	DES3PKCS12Algorithm PKCS12Algorithm = "DES3"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES
+	LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES"
 
-	// PBES2 with PBKDF2-HMAC-SHA-256 and AES-256-CBC certificate and key algorithm and HMAC-SHA-2 MAC algorithm.
-	AESPKCS12Algorithm PKCS12Algorithm = "AES256"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023
+	Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023"
 )
 
 // CertificateStatus defines the observed state of Certificate

internal/apis/certmanager/v1beta1/zz_generated.conversion.go

@@ -1318,7 +1318,7 @@ func autoConvert_v1beta1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS12
 	if err := apismetav1.Convert_v1_SecretKeySelector_To_meta_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithm = certmanager.PKCS12Algorithm(in.Algorithm)
+	out.Algorithms = certmanager.PKCS12Algorithms(in.Algorithms)
 	return nil
 }
 
@@ -1332,7 +1332,7 @@ func autoConvert_certmanager_PKCS12Keystore_To_v1beta1_PKCS12Keystore(in *certma
 	if err := apismetav1.Convert_meta_SecretKeySelector_To_v1_SecretKeySelector(&in.PasswordSecretRef, &out.PasswordSecretRef, s); err != nil {
 		return err
 	}
-	out.Algorithm = PKCS12Algorithm(in.Algorithm)
+	out.Algorithms = PKCS12Algorithms(in.Algorithms)
 	return nil
 }
 

pkg/apis/certmanager/v1/types_certificate.go

@@ -462,29 +462,29 @@ type PKCS12Keystore struct {
 	// containing the password used to encrypt the PKCS12 keystore.
 	PasswordSecretRef cmmeta.SecretKeySelector `json:"passwordSecretRef"`
 
-	// Algorithm is the encryption algorithm used to create the PKCS12 keystore.
-	// Default value is `RC2` for backward compatibility.
+	// Algorithms are specifying the key and certificate encryption algorithms and the HMAC algorithm
+	// used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility.
 	//
 	// If provided, allowed values are:
-	// `RC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
-	// `DES3`: Less secure, used for maximal compatibility.
-	// `SHA256`: Preferred for security, used when indicated by policy. (PEM format also stored in Secret.)
+	// `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20.
+	// `LegacyDES`: Less secure, used for maximal compatibility.
+	// `Modern2023`: Preferred for security, used when indicated by policy. PEM format also stored in Secret.
 	// +optional
-	Algorithm PKCS12Algorithm `json:"algorithm,omitempty"`
+	Algorithms PKCS12Algorithms `json:"algorithms,omitempty"`
 }
 
-// +kubebuilder:validation:Enum=RC2;DES3;AES256
-type PKCS12Algorithm string
+// +kubebuilder:validation:Enum=LegacyRC2;LegacyDES;Modern2023
+type PKCS12Algorithms string
 
 const (
-	// PBE with RC2 certificate algorithm, PBE with 3DES key algorithm and HMAC-SHA-1 MAC algorithm.
-	RC2PKCS12Algorithm PKCS12Algorithm = "RC2"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2
+	LegacyRC2PKCS12Algorithms PKCS12Algorithms = "LegacyRC2"
 
-	// PBE with 3DES certificate and key algorithm and HMAC-SHA-1 MAC algorithm.
-	DES3PKCS12Algorithm PKCS12Algorithm = "DES3"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES
+	LegacyDESPKCS12Algorithms PKCS12Algorithms = "LegacyDES"
 
-	// PBES2 with PBKDF2-HMAC-SHA-256 and AES-256-CBC certificate and key algorithm and HMAC-SHA-2 MAC algorithm.
-	AESPKCS12Algorithm PKCS12Algorithm = "AES256"
+	// see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023
+	Modern2023PKCS12Algorithms PKCS12Algorithms = "Modern2023"
 )
 
 // CertificateStatus defines the observed state of Certificate

pkg/controller/certificates/issuing/internal/keystore.go

@@ -39,7 +39,7 @@ import (
 // If the certificate data contains multiple certificates, the first will be used
 // as the keystores 'certificate' and the remaining certificates will be prepended
 // to the list of CAs in the resulting keystore.
-func encodePKCS12Keystore(algorithm cmapi.PKCS12Algorithm, password string, rawKey []byte, certPem []byte, caPem []byte) ([]byte, error) {
+func encodePKCS12Keystore(algorithms cmapi.PKCS12Algorithms, password string, rawKey []byte, certPem []byte, caPem []byte) ([]byte, error) {
 	key, err := pki.DecodePrivateKeyBytes(rawKey)
 	if err != nil {
 		return nil, err
@@ -61,19 +61,19 @@ func encodePKCS12Keystore(algorithm cmapi.PKCS12Algorithm, password string, rawK
 		cas = append(certs[1:], cas...)
 	}
 
-	switch algorithm {
-	case cmapi.AESPKCS12Algorithm:
+	switch algorithms {
+	case cmapi.Modern2023PKCS12Algorithms:
 		return pkcs12.Modern2023.Encode(key, certs[0], cas, password)
-	case cmapi.DES3PKCS12Algorithm:
+	case cmapi.LegacyDESPKCS12Algorithms:
 		return pkcs12.LegacyDES.Encode(key, certs[0], cas, password)
-	case cmapi.RC2PKCS12Algorithm:
+	case cmapi.LegacyRC2PKCS12Algorithms:
 		return pkcs12.LegacyRC2.Encode(key, certs[0], cas, password)
 	default:
 		return pkcs12.LegacyRC2.Encode(key, certs[0], cas, password)
 	}
 }
 
-func encodePKCS12Truststore(algorithm cmapi.PKCS12Algorithm, password string, caPem []byte) ([]byte, error) {
+func encodePKCS12Truststore(algorithms cmapi.PKCS12Algorithms, password string, caPem []byte) ([]byte, error) {
 	ca, err := pki.DecodeX509CertificateBytes(caPem)
 	if err != nil {
 		return nil, err
@@ -81,12 +81,12 @@ func encodePKCS12Truststore(algorithm cmapi.PKCS12Algorithm, password string, ca
 
 	var cas = []*x509.Certificate{ca}
 
-	switch algorithm {
-	case cmapi.AESPKCS12Algorithm:
+	switch algorithms {
+	case cmapi.Modern2023PKCS12Algorithms:
 		return pkcs12.Modern2023.EncodeTrustStore(cas, password)
-	case cmapi.DES3PKCS12Algorithm:
+	case cmapi.LegacyDESPKCS12Algorithms:
 		return pkcs12.LegacyDES.EncodeTrustStore(cas, password)
-	case cmapi.RC2PKCS12Algorithm:
+	case cmapi.LegacyRC2PKCS12Algorithms:
 		return pkcs12.LegacyRC2.EncodeTrustStore(cas, password)
 	default:
 		return pkcs12.LegacyRC2.EncodeTrustStore(cas, password)

pkg/controller/certificates/issuing/internal/keystore_test.go

@@ -312,7 +312,7 @@ func TestEncodePKCS12Keystore(t *testing.T) {
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			for _, algorithm := range []cmapi.PKCS12Algorithm{"", cmapi.RC2PKCS12Algorithm, cmapi.DES3PKCS12Algorithm, cmapi.AESPKCS12Algorithm} {
+			for _, algorithm := range []cmapi.PKCS12Algorithms{"", cmapi.LegacyRC2PKCS12Algorithms, cmapi.LegacyDESPKCS12Algorithms, cmapi.Modern2023PKCS12Algorithms} {
 				out, err := encodePKCS12Keystore(algorithm, test.password, test.rawKey, test.certPEM, test.caPEM)
 				test.verify(t, out, err)
 			}
@@ -323,7 +323,7 @@ func TestEncodePKCS12Keystore(t *testing.T) {
 		var emptyCAChain []byte = nil
 
 		chain := mustLeafWithChain(t)
-		for _, algorithm := range []cmapi.PKCS12Algorithm{"", cmapi.RC2PKCS12Algorithm, cmapi.DES3PKCS12Algorithm, cmapi.AESPKCS12Algorithm} {
+		for _, algorithm := range []cmapi.PKCS12Algorithms{"", cmapi.LegacyRC2PKCS12Algorithms, cmapi.LegacyDESPKCS12Algorithms, cmapi.Modern2023PKCS12Algorithms} {
 			out, err := encodePKCS12Keystore(algorithm, password, chain.leaf.keyPEM, chain.all.certsToPEM(), emptyCAChain)
 			require.NoError(t, err)
 
@@ -344,7 +344,7 @@ func TestEncodePKCS12Keystore(t *testing.T) {
 		require.NoError(t, err)
 
 		chain := mustLeafWithChain(t)
-		for _, algorithm := range []cmapi.PKCS12Algorithm{"", cmapi.RC2PKCS12Algorithm, cmapi.DES3PKCS12Algorithm, cmapi.AESPKCS12Algorithm} {
+		for _, algorithm := range []cmapi.PKCS12Algorithms{"", cmapi.LegacyRC2PKCS12Algorithms, cmapi.LegacyDESPKCS12Algorithms, cmapi.Modern2023PKCS12Algorithms} {
 			out, err := encodePKCS12Keystore(algorithm, password, chain.leaf.keyPEM, chain.all.certsToPEM(), caChainInPEM)
 			require.NoError(t, err)
 
@@ -393,7 +393,7 @@ func TestEncodePKCS12Truststore(t *testing.T) {
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
-			for _, algorithm := range []cmapi.PKCS12Algorithm{"", cmapi.RC2PKCS12Algorithm, cmapi.DES3PKCS12Algorithm, cmapi.AESPKCS12Algorithm} {
+			for _, algorithm := range []cmapi.PKCS12Algorithms{"", cmapi.LegacyRC2PKCS12Algorithms, cmapi.LegacyDESPKCS12Algorithms, cmapi.Modern2023PKCS12Algorithms} {
 				out, err := encodePKCS12Truststore(algorithm, test.password, test.caPEM)
 				test.verify(t, test.caPEM, out, err)
 			}

pkg/controller/certificates/issuing/internal/secret.go

@@ -258,8 +258,8 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec
 			return fmt.Errorf("PKCS12 keystore password Secret contains no data for key %q", ref.Key)
 		}
 		pw := pwSecret.Data[ref.Key]
-		algorithm := crt.Spec.Keystores.PKCS12.Algorithm
-		keystoreData, err := encodePKCS12Keystore(algorithm, string(pw), data.PrivateKey, data.Certificate, data.CA)
+		algorithms := crt.Spec.Keystores.PKCS12.Algorithms
+		keystoreData, err := encodePKCS12Keystore(algorithms, string(pw), data.PrivateKey, data.Certificate, data.CA)
 		if err != nil {
 			return fmt.Errorf("error encoding PKCS12 bundle: %w", err)
 		}
@@ -267,7 +267,7 @@ func (s *SecretsManager) setKeystores(crt *cmapi.Certificate, secret *corev1.Sec
 		secret.Data[cmapi.PKCS12SecretKey] = keystoreData
 
 		if len(data.CA) > 0 {
-			truststoreData, err := encodePKCS12Truststore(algorithm, string(pw), data.CA)
+			truststoreData, err := encodePKCS12Truststore(algorithms, string(pw), data.CA)
 			if err != nil {
 				return fmt.Errorf("error encoding PKCS12 trust store bundle: %w", err)
 			}