test

Author: tanmay-hc

builder/azure/pkcs12/crypto.go

@@ -6,18 +6,15 @@ package pkcs12
 
 import (
 	"bytes"
-	"crypto/aes"
 	"crypto/cipher"
 	"crypto/des"
 	"crypto/rand"
-	"crypto/sha256"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"errors"
 	"io"
 
 	"github.com/hashicorp/packer-plugin-azure/builder/azure/pkcs12/rc2"
-	"golang.org/x/crypto/pbkdf2"
 )
 
 const (
@@ -29,11 +26,6 @@ const (
 var (
 	oidPBEWithSHAAnd3KeyTripleDESCBC = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 12, 1, 3})
 	oidPBEWithSHAAnd40BitRC2CBC      = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 12, 1, 6})
-	// PBES2 (Password-Based Encryption Scheme 2) from PKCS#5 v2.0
-	oidPBES2      = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 5, 13})
-	oidPBKDF2     = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 5, 12})
-	oidHMACSHA256 = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 2, 9})
-	oidAES256CBC  = asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 1, 42})
 )
 
 // pbeCipher is an abstraction of a PKCS#12 cipher.
@@ -79,30 +71,7 @@ type pbeParams struct {
 	Iterations int
 }
 
-// PBES2 parameters as per PKCS#5 v2.0
-type pbes2Params struct {
-	KeyDerivationFunc pkix.AlgorithmIdentifier
-	EncryptionScheme  pkix.AlgorithmIdentifier
-}
-
-type pbkdf2Params struct {
-	Salt           []byte
-	IterationCount int
-	KeyLength      int                      `asn1:"optional"`
-	PRF            pkix.AlgorithmIdentifier `asn1:"optional"`
-}
-
-type aes256CBCParams struct {
-	IV []byte
-}
-
 func pbDecrypterFor(algorithm pkix.AlgorithmIdentifier, password []byte) (cipher.BlockMode, int, error) {
-	// Check if this is PBES2 (modern AES-256)
-	if algorithm.Algorithm.Equal(oidPBES2) {
-		return pbes2Decrypter(algorithm, password)
-	}
-
-	// Legacy PBES1 algorithms
 	var cipherType pbeCipher
 
 	var params pbeParams
@@ -130,46 +99,6 @@ func pbDecrypterFor(algorithm pkix.AlgorithmIdentifier, password []byte) (cipher
 	return cipher.NewCBCDecrypter(block, iv), block.BlockSize(), nil
 }
 
-func pbes2Decrypter(algorithm pkix.AlgorithmIdentifier, password []byte) (cipher.BlockMode, int, error) {
-	var params pbes2Params
-	if err := unmarshal(algorithm.Parameters.FullBytes, &params); err != nil {
-		return nil, 0, errors.New("pkcs12: invalid PBES2 parameters: " + err.Error())
-	}
-
-	// Verify we're using PBKDF2
-	if !params.KeyDerivationFunc.Algorithm.Equal(oidPBKDF2) {
-		return nil, 0, NotImplementedError("only PBKDF2 is supported for PBES2")
-	}
-
-	// Parse PBKDF2 parameters
-	var kdfParams pbkdf2Params
-	if err := unmarshal(params.KeyDerivationFunc.Parameters.FullBytes, &kdfParams); err != nil {
-		return nil, 0, errors.New("pkcs12: invalid PBKDF2 parameters: " + err.Error())
-	}
-
-	// Verify we're using AES-256-CBC
-	if !params.EncryptionScheme.Algorithm.Equal(oidAES256CBC) {
-		return nil, 0, NotImplementedError("only AES-256-CBC is supported for PBES2")
-	}
-
-	// Parse AES parameters (IV)
-	var aesParams aes256CBCParams
-	if err := unmarshal(params.EncryptionScheme.Parameters.FullBytes, &aesParams); err != nil {
-		return nil, 0, errors.New("pkcs12: invalid AES parameters: " + err.Error())
-	}
-
-	// Derive key using PBKDF2
-	key := pbkdf2.Key(password, kdfParams.Salt, kdfParams.IterationCount, 32, sha256.New)
-
-	// Create AES cipher
-	block, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, 0, err
-	}
-
-	return cipher.NewCBCDecrypter(block, aesParams.IV), block.BlockSize(), nil
-}
-
 func pbDecrypt(info decryptable, password []byte) (decrypted []byte, err error) {
 	cbc, blockSize, err := pbDecrypterFor(info.Algorithm(), password)
 	if err != nil {
@@ -234,30 +163,22 @@ func pbEncrypt(plainText, salt, password []byte, iterations int) (cipherText []b
 	return cipherText, nil
 }
 
-// pbEncryptModern encrypts plainText using AES-256-CBC with PBES2 (PKCS#5 v2.0).
-// This provides modern encryption that is compatible with Windows and Azure while
-// offering much stronger security than legacy Triple DES.
-// Uses 100,000 iterations (OWASP 2021 baseline), providing strong security while
-// maintaining reasonable performance for ephemeral certificates.
-// Returns the ciphertext and the IV used (needed for PBES2 parameters).
-func pbEncryptModern(plainText, salt, password []byte, iterations int) (cipherText, iv []byte, err error) {
+// pbEncryptModern encrypts plainText using Triple DES with a high iteration count.
+// While Triple DES is older, using 100,000+ iterations provides strong security through
+// key stretching and ensures maximum compatibility with Azure Key Vault and Windows.
+// This is the recommended approach for Azure as PBES2/AES is not widely supported.
+func pbEncryptModern(plainText, salt, password []byte, iterations int) (cipherText []byte, err error) {
 	if _, err := io.ReadFull(rand.Reader, salt); err != nil {
-		return nil, nil, errors.New("pkcs12: failed to create a random salt value: " + err.Error())
-	}
-
-	// Generate IV for AES-256-CBC
-	iv = make([]byte, aes.BlockSize)
-	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
-		return nil, nil, errors.New("pkcs12: failed to create IV: " + err.Error())
+		return nil, errors.New("pkcs12: failed to create a random salt value: " + err.Error())
 	}
 
-	// Derive key using PBKDF2 with SHA-256
-	key := pbkdf2.Key(password, salt, iterations, 32, sha256.New)
+	cipherType := shaWithTripleDESCBC{}
+	key := cipherType.deriveKey(salt, password, iterations)
+	iv := cipherType.deriveIV(salt, password, iterations)
 
-	// Create AES cipher
-	block, err := aes.NewCipher(key)
+	block, err := cipherType.create(key)
 	if err != nil {
-		return nil, nil, errors.New("pkcs12: failed to create AES cipher: " + err.Error())
+		return nil, errors.New("pkcs12: failed to create Triple DES cipher: " + err.Error())
 	}
 
 	paddedPlainText := pad(plainText, block.BlockSize())
@@ -266,59 +187,7 @@ func pbEncryptModern(plainText, salt, password []byte, iterations int) (cipherTe
 	cipherText = make([]byte, len(paddedPlainText))
 	encrypter.CryptBlocks(cipherText, paddedPlainText)
 
-	return cipherText, iv, nil
-}
-
-// pbEncryptModernParams returns PBES2 algorithm parameters for AES-256-CBC encryption
-func pbEncryptModernParams(salt, iv []byte, iterations int) (asn1.RawValue, error) {
-	// PBKDF2 parameters
-	pbkdf2Params := pbkdf2Params{
-		Salt:           salt,
-		IterationCount: iterations,
-		KeyLength:      32, // AES-256 requires 32 bytes
-		PRF: pkix.AlgorithmIdentifier{
-			Algorithm: oidHMACSHA256,
-		},
-	}
-
-	pbkdf2ParamsBytes, err := asn1.Marshal(pbkdf2Params)
-	if err != nil {
-		return asn1.RawValue{}, err
-	}
-
-	var pbkdf2ParamsRaw asn1.RawValue
-	if _, err := asn1.Unmarshal(pbkdf2ParamsBytes, &pbkdf2ParamsRaw); err != nil {
-		return asn1.RawValue{}, err
-	}
-
-	// AES-256-CBC parameters (just the IV)
-	aesParams := aes256CBCParams{
-		IV: iv,
-	}
-
-	aesParamsBytes, err := asn1.Marshal(aesParams)
-	if err != nil {
-		return asn1.RawValue{}, err
-	}
-
-	var aesParamsRaw asn1.RawValue
-	if _, err := asn1.Unmarshal(aesParamsBytes, &aesParamsRaw); err != nil {
-		return asn1.RawValue{}, err
-	}
-
-	// PBES2 parameters
-	pbes2Params := pbes2Params{
-		KeyDerivationFunc: pkix.AlgorithmIdentifier{
-			Algorithm:  oidPBKDF2,
-			Parameters: pbkdf2ParamsRaw,
-		},
-		EncryptionScheme: pkix.AlgorithmIdentifier{
-			Algorithm:  oidAES256CBC,
-			Parameters: aesParamsRaw,
-		},
-	}
-
-	return convertToRawVal(pbes2Params)
+	return cipherText, nil
 }
 
 // decryptable abstracts a object that contains ciphertext.

builder/azure/pkcs12/pkcs12.go

@@ -381,7 +381,7 @@ func makeContentInfos(derBytes []byte, privateKey interface{}, password []byte)
 	return contentInfos, nil
 }
 
-// makeShroudedKeyBagContentInfoModern creates content info using AES-256-CBC with PBES2.
+// makeShroudedKeyBagContentInfoModern creates content info using Triple DES with high iteration count.
 func makeShroudedKeyBagContentInfoModern(privateKey interface{}, password []byte) (*contentInfo, error) {
 	shroudedKeyBagBytes, err := encodePkcs8ShroudedKeyBagModern(privateKey, password)
 	if err != nil {
@@ -396,7 +396,7 @@ func makeShroudedKeyBagContentInfoModern(privateKey interface{}, password []byte
 	return makeContentInfo(safeBags)
 }
 
-// makeContentInfosModern creates content infos using AES-256-CBC with PBES2.
+// makeContentInfosModern creates content infos using Triple DES with high iteration count.
 func makeContentInfosModern(derBytes []byte, privateKey interface{}, password []byte) ([]contentInfo, error) {
 	shroudedKeyContentInfo, err := makeShroudedKeyBagContentInfoModern(privateKey, password)
 	if err != nil {
@@ -488,9 +488,10 @@ func Encode(derBytes []byte, privateKey interface{}, password string) (pfxBytes
 }
 
 // EncodeModern converts a certificate and a private key to the PKCS#12 byte stream format
-// using AES-256-CBC encryption with PBES2 (PKCS#5 v2.0).
-// This provides modern, standards-compliant encryption that is fully compatible with
-// Windows and Azure while offering much stronger security than the legacy Triple DES.
+// using Triple DES encryption with a high iteration count (100,000 iterations).
+// While Triple DES is older, the high iteration count provides strong security through
+// key stretching and ensures maximum compatibility with Azure Key Vault and Windows.
+// This is more compatible than PBES2/AES which is not widely supported by Azure.
 //
 // derBytes is a DER encoded certificate.
 // privateKey is an RSA or ECDSA private key.

builder/azure/pkcs12/pkcs12_test.go

@@ -94,7 +94,7 @@ func testPfxRoundTrip(t *testing.T, privateKey interface{}) interface{} {
 	return key
 }
 
-// TestEncodeModernRsa tests encoding with AES-256-CBC via PBES2
+// TestEncodeModernRsa tests encoding with Triple DES and high iteration count (100,000)
 func TestEncodeModernRsa(t *testing.T) {
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
@@ -106,7 +106,7 @@ func TestEncodeModernRsa(t *testing.T) {
 		t.Fatal(err.Error())
 	}
 
-	// Test with EncodeModern (AES-256-CBC with PBES2)
+	// Test with EncodeModern (Triple DES with 100,000 iterations)
 	pfxBytes, err := EncodeModern(certificateBytes, privateKey, "testpassword")
 	if err != nil {
 		t.Fatalf("EncodeModern failed: %v", err)

builder/azure/pkcs12/safebags.go

@@ -70,9 +70,9 @@ func encodePkcs8ShroudedKeyBag(privateKey interface{}, password []byte) (bytes [
 	return bytes, err
 }
 
-// encodePkcs8ShroudedKeyBagModern encodes a private key using AES-256-CBC with PBES2.
-// This provides modern, standards-compliant encryption that is compatible with
-// Windows and Azure while offering much stronger security than legacy Triple DES.
+// encodePkcs8ShroudedKeyBagModern encodes a private key using Triple DES with high iteration count.
+// This provides stronger security than the legacy implementation through increased iterations (100,000)
+// while ensuring maximum compatibility with Azure Key Vault and Windows Certificate Store.
 func encodePkcs8ShroudedKeyBagModern(privateKey interface{}, password []byte) (bytes []byte, err error) {
 	privateKeyBytes, err := marshalPKCS8PrivateKey(privateKey)
 
@@ -85,20 +85,20 @@ func encodePkcs8ShroudedKeyBagModern(privateKey interface{}, password []byte) (b
 		return nil, errors.New("pkcs12: error creating PKCS#8 salt: " + err.Error())
 	}
 
-	pkData, iv, err := pbEncryptModern(privateKeyBytes, salt, password, pbeIterationCountModern)
+	pkData, err := pbEncryptModern(privateKeyBytes, salt, password, pbeIterationCountModern)
 	if err != nil {
 		return nil, errors.New("pkcs12: error encoding PKCS#8 shrouded key bag when encrypting cert bag: " + err.Error())
 	}
 
-	// Create PBES2 parameters
-	params, err := pbEncryptModernParams(salt, iv, pbeIterationCountModern)
+	// Create parameters with high iteration count
+	params, err := getAlgorithmParams(salt, pbeIterationCountModern)
 	if err != nil {
 		return nil, errors.New("pkcs12: error encoding PKCS#8 shrouded key bag algorithm's parameters: " + err.Error())
 	}
 
 	pkinfo := encryptedPrivateKeyInfo{
 		AlgorithmIdentifier: pkix.AlgorithmIdentifier{
-			Algorithm:  oidPBES2,
+			Algorithm:  oidPBEWithSHAAnd3KeyTripleDESCBC,
 			Parameters: params,
 		},
 		EncryptedData: pkData,