Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document support for PKCS#12 #860

Merged
merged 25 commits into from
Nov 26, 2024
Merged

Document support for PKCS#12 #860

merged 25 commits into from
Nov 26, 2024

Conversation

JakeSCahill
Copy link
Contributor

@JakeSCahill JakeSCahill commented Nov 14, 2024

Description

Review deadline: 20 November

Note to reviewers: I haven't updated the Kubernetes docs because the Helm chart requires updates to support PKCS#12. Related Jira is here: https://redpandadata.atlassian.net/browse/K8S-347

Page previews

https://deploy-preview-860--redpanda-docs-preview.netlify.app/24.3/manage/security/encryption/#pkcs

Checks

  • New feature
  • Content gap
  • Support Follow-up
  • Small fix (typos, links, copyedits, etc)

Deflaimun and others added 15 commits October 30, 2024 16:22
Co-authored-by: Paulo Borges <[email protected]>
Co-authored-by: Gellért Peresztegi-Nagy <[email protected]>
Co-authored-by: Angela Simms <[email protected]>
Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Paulo Borges <[email protected]>
Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Angela Simms <[email protected]>
Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Paulo Borges <[email protected]>
Co-authored-by: Angela Simms <[email protected]>
Co-authored-by: Joyce Fee <[email protected]>
Co-authored-by: Kat Batuigas <[email protected]>
Co-authored-by: Jake Cahill <[email protected]>
Co-authored-by: Paulo Borges <[email protected]>
Co-authored-by: Gellért Peresztegi-Nagy <[email protected]>
Co-authored-by: Angela Simms <[email protected]>
@JakeSCahill JakeSCahill requested a review from a team as a code owner November 14, 2024 16:37
Copy link

netlify bot commented Nov 14, 2024

Deploy Preview for redpanda-docs-preview ready!

Name Link
🔨 Latest commit baa286d
🔍 Latest deploy log https://app.netlify.com/sites/redpanda-docs-preview/deploys/6745fb049f181000089c9be8
😎 Deploy Preview https://deploy-preview-860--redpanda-docs-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

Copy link
Contributor

@michael-redpanda michael-redpanda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Now the fun part - turns out PKCS#12 doesn't work in FIPS. So I think we need a call out for that.

So some background information on this (discovered in this PR)

The MAC key derivation algorithm used for PKCS#12 is PKCS12KDF. This is not a FIPS supported algorithm. This means that, when running in FIPS mode, the OpenSSL FIPS provider will error out on unwrapping a PKCS#12 file.

A proposal (rfc9579) has been made to replace that with PBMAC1 which is FIPS compliant. The ability to unwrap a PKCS#12 file using that is in OpenSSL 3.4, which we haven't updated to yet.

Some other reading can be found here: https://www.redhat.com/en/blog/fips-140-3-changes-pkcs-12

@JakeSCahill
Copy link
Contributor Author

Looks great! Now the fun part - turns out PKCS#12 doesn't work in FIPS. So I think we need a call out for that.

So some background information on this (discovered in this PR)

The MAC key derivation algorithm used for PKCS#12 is PKCS12KDF. This is not a FIPS supported algorithm. This means that, when running in FIPS mode, the OpenSSL FIPS provider will error out on unwrapping a PKCS#12 file.

A proposal (rfc9579) has been made to replace that with PBMAC1 which is FIPS compliant. The ability to unwrap a PKCS#12 file using that is in OpenSSL 3.4, which we haven't updated to yet.

Some other reading can be found here: https://www.redhat.com/en/blog/fips-140-3-changes-pkcs-12

Thanks @michael-redpanda - I added some of this context to the TLS doc and the FIPS doc


NOTE: If you haven't generated the `.key` and `.crt` files, refer to <<gen-certs, Generate certificate files>>.
NOTE: PKCS#12 keys are not supported when xref:manage:security/fips-compliance.adoc[FIPS mode] is enabled in Redpanda. The PKCS12KDF algorithm used in PKCS#12 is not FIPS-compliant. To use Redpanda in FIPS mode, configure your certificates and keys in <<pem,PEM format>> instead.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

praise: 👍

Copy link
Contributor

@asimms41 asimms41 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple of minor comments/observations.

modules/manage/pages/security/encryption.adoc Outdated Show resolved Hide resolved
@@ -113,31 +126,29 @@ certificates (created above).

|`-batch` |Batch mode, where certificates are certified automatically.
|===
+
The output `ca.crt` is the CA's public certificate, which you'll use in the truststore.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, the rendering of the apostrophe looks odd?

modules/manage/pages/security/encryption.adoc Outdated Show resolved Hide resolved
modules/manage/pages/security/encryption.adoc Outdated Show resolved Hide resolved
truststore_file: <path-to-PEM-formatted-CA-file>
cert_file: <path-to-pem-cert-file>
key_file: <path-to-pem-key-file>
truststore_file: <path-to-pem-CA-file>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The caps in CA are stopping this from being an editable field.

@JakeSCahill JakeSCahill merged commit 8b65a24 into v-WIP/24.3 Nov 26, 2024
7 checks passed
@JakeSCahill JakeSCahill deleted the DOC-539 branch November 26, 2024 17:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants