How to remove support of PBEWithSHA1AndDESede algorithm in p12 files

[vivekananda501]

Hi,

I want to generate a login certificate(p12 file) not with the PBEWithSHA1AndDESede algorithm.

When I deployed my application as a docker image with the base image of Redhat OpenJDK, I faced the below error:
java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithSHA1AndDESede.

When I ran the below sample application in my application, it did not list the PBEWithSHA1AndDESede algorithm.

import java.security.Security;

public class CipherList {
  public static void main(String a[]) {
    System.out.println("Cipher List::" + Security.getAlgorithms("Cipher"));
  }
}

Output:
[PBEWITHHMACSHA384ANDAES_128, RSA/ECB/NOPADDING, AES_256/GCM/NOPADDING, DESEDE/ECB/NOPADDING, AES/CBC/PKCS5PADDING, AES_192/GCM/NOPADDING, PBEWITHHMACSHA512ANDAES_128, AES_256/CBC/NOPADDING, AES/CTR/NOPADDING, AES_256/ECB/NOPADDING, PBEWITHHMACSHA224ANDAES_256, AES_128/CBC/NOPADDING, DESEDE/CBC/NOPADDING, DES/ECB/NOPADDING, AES_192/CBC/NOPADDING, PBEWITHHMACSHA256ANDAES_256, PBEWITHHMACSHA1ANDAES_128, DESEDE/CBC/PKCS5PADDING, AES_128/ECB/NOPADDING, DESEDE/ECB/PKCS5PADDING, PBEWITHHMACSHA512ANDAES_256, CHACHA20-POLY1305, DES/CBC/NOPADDING, AES/ECB/NOPADDING, AES/GCM/NOPADDING, AES/CBC/NOPADDING, AES_192/ECB/NOPADDING, DES/ECB/PKCS5PADDING, ARCFOUR, DES/CBC/PKCS5PADDING, RSA/ECB/PKCS1PADDING, AES_128/GCM/NOPADDING, AES/ECB/PKCS5PADDING, PBEWITHHMACSHA256ANDAES_128, PBEWITHHMACSHA384ANDAES_256, PBEWITHHMACSHA1ANDAES_256, PBEWITHHMACSHA224ANDAES_128]

How to use the specific algorithm from the above list or how to remove the default one.

[primetomas]

It's not a bug, it's as designed.
EJBCA currently generates P12 keystores with pbeWithSHA1And3-KeyTripleDES-CBC.

openssl pkcs12 -in ~/tmp/kara/superadmin-2024.p12 -info
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 51200
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 51200
Certificate bag

Not sure what you did to get PBEWithSHA1AndDESede? Doesn't sound like it was from EJBCA?

There is a feature ticket to enable usage of AES instead of 3DES.

[vivekananda501]

Hi Tomas,

I'm running the ejbca docker image & my CA application at STIG based environment. There I got the issue while loading the p12 file with password. In that environment, the algorithm support is removed.

java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithSHA1AndDESede.

Below is the outpu of the command openssl pkcs12 -in superadmin.p12 -info
MAC: sha1, Iteration 102400
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Bag Attributes
friendlyName: superadmin
localKeyID: 54 69 6D 65 20 31 37 32 39 34 39 37 30 35 30 36 37 30

When I expect this feature to get released.

[primetomas]

Your output shows "PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256" not PBEWithSHA1AndDESede.
So it doesn't look like your superadmin.p12 was generated by EJBCA. On the other hand, I don't think your container tries to load superadmin.p12 right, but a server keystore, and a truststore keystore. Better look into those instead.

[primetomas]

We've assisted in deployments in various certified environments, including FIPS certified. But this forum is not likely to be able to assist with complex certified environments.