Ab#82394

CHANGELOG.md

@@ -1,3 +1,6 @@
+v4.1.0
+- Add custom field to select legacy encryption for certificate stores
+
 v4.0.0
 - Added ability to run post job commands for Management-Add and ODKG jobs.
 - Added "+" as an allowed character for store paths and file names

RemoteFile/ManagementBase.cs

@@ -54,7 +54,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                         }
                         certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
                         certificateStore.AddCertificate(config.JobCertificate.Alias ?? GetThumbprint(config.JobCertificate, logger), config.JobCertificate.Contents, config.Overwrite, config.JobCertificate.PrivateKeyPassword, RemoveRootCertificate);
-                        certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
+                        certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(RequiresLegacyEncryption), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
 
                         try
                         {
@@ -83,7 +83,7 @@ public JobResult ProcessJob(ManagementJobConfiguration config)
                         {
                             certificateStore.LoadCertificateStore(certificateStoreSerializer, false);
                             certificateStore.DeleteCertificateByAlias(config.JobCertificate.Alias);
-                            certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
+                            certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(RequiresLegacyEncryption), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
                         }
                         logger.LogDebug($"END Delete Operation for {config.CertificateStoreDetails.StorePath} on {config.CertificateStoreDetails.ClientMachine}.");
                         break;

RemoteFile/ReenrollmentBase.cs

@@ -101,8 +101,8 @@ public JobResult ProcessJob(ReenrollmentJobConfiguration config, SubmitReenrollm
                 }
 
                 // save certificate
-                certificateStore.AddCertificate(config.Alias ?? cert.Thumbprint, Convert.ToBase64String(cert.Export(X509ContentType.Pfx)), config.Overwrite, null, RemoveRootCertificate);
-                certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
+                certificateStore.AddCertificate(config.Alias ?? cert.Thumbprint, Convert.ToBase64String(cert.Export(X509ContentType.Pfx, "password")), config.Overwrite, "password", RemoveRootCertificate);
+                certificateStore.SaveCertificateStore(certificateStoreSerializer.SerializeRemoteCertificateStore(certificateStore.GetCertificateStore(RequiresLegacyEncryption), storePathFile.Path, storePathFile.File, StorePassword, certificateStore.RemoteHandler));
 
                 try
                 {

RemoteFile/RemoteCertificateStore.cs

@@ -27,6 +27,7 @@
 using Keyfactor.PKI.PrivateKeys;
 using Keyfactor.PKI.CryptographicObjects.Formatters;
 using Org.BouncyCastle.X509;
+using Org.BouncyCastle.Asn1.Pkcs;
 
 namespace Keyfactor.Extensions.Orchestrator.RemoteFile
 {
@@ -124,11 +125,38 @@ internal void LoadCertificateStore(ICertificateStoreSerializer certificateStoreS
             logger.MethodExit(LogLevel.Debug);
         }
 
-        internal Pkcs12Store GetCertificateStore()
+        internal Pkcs12Store GetCertificateStore(bool requiresLegacyEncryption)
         {
             logger.MethodEntry(LogLevel.Debug);
             logger.MethodExit(LogLevel.Debug);
 
+            if (requiresLegacyEncryption)
+            {
+                Pkcs12StoreBuilder builder = new Pkcs12StoreBuilder();
+                builder.SetKeyAlgorithm(PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc);
+                builder.SetCertAlgorithm(PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc);
+
+                Pkcs12Store tempStore = builder.Build();
+
+                foreach (string alias in CertificateStore.Aliases)
+                {
+                    if (CertificateStore.IsKeyEntry(alias))
+                    {
+                        var keyEntry = CertificateStore.GetKey(alias);
+                        var certChain = CertificateStore.GetCertificateChain(alias);
+
+                        tempStore.SetKeyEntry(alias, keyEntry, certChain);
+                    }
+                    else if (CertificateStore.IsCertificateEntry(alias))
+                    {
+                        var certEntry = CertificateStore.GetCertificate(alias);
+                        tempStore.SetCertificateEntry(alias, certEntry);
+                    }
+                }
+
+                CertificateStore = tempStore;
+            }
+
             return CertificateStore;
         }
 

RemoteFile/RemoteFile.csproj

@@ -12,7 +12,7 @@
     <PackageReference Include="CliWrap" Version="3.6.6" />
     <PackageReference Include="Keyfactor.Orchestrators.IOrchestratorJobExtensions" Version="1.0.0" />
     <PackageReference Include="Keyfactor.PKI" Version="8.1.1" />
-    <PackageReference Include="Microsoft.PowerShell.SDK" Version="7.4.5" />
+    <PackageReference Include="Microsoft.PowerShell.SDK" Version="7.4.13" />
     <PackageReference Include="SSH.NET" Version="2024.0.0" />
 
     <None Update="manifest.json">

RemoteFile/RemoteFileJobTypeBase.cs

@@ -30,6 +30,7 @@ public abstract class RemoteFileJobTypeBase
         internal bool CreateCSROnDevice { get; set; }
         internal bool UseShellCommands { get; set; }
         internal string PostJobApplicationRestart {  get; set; }
+        internal bool RequiresLegacyEncryption { get; set; }
         internal string KeyType { get; set; }
         internal int KeySize { get; set; }
         internal string SubjectText { get; set; }
@@ -78,6 +79,10 @@ internal void SetJobProperties(JobConfiguration config, CertificateStore certifi
                 null :
                 properties.PostJobApplicationRestart;
 
+            RequiresLegacyEncryption = properties.RequiresLegacyEncryption == null || string.IsNullOrEmpty(properties.RequiresLegacyEncryption.Value) ?
+                false :
+                properties.RequiresLegacyEncryption;
+
             if (config.JobProperties != null)
             {
                 KeyType = !config.JobProperties.ContainsKey("keyType") || config.JobProperties["keyType"] == null || string.IsNullOrEmpty(config.JobProperties["keyType"].ToString()) ? string.Empty : config.JobProperties["keyType"].ToString();

integration-manifest.json

@@ -132,6 +132,15 @@
                       "Type": "MultipleChoice",
                       "DefaultValue": "Apache Tomcat Restart,Jetty Restart",
                       "Description": "Select the command to be run after a Management Add or ODKG job executes.  Leave unselected if no command is desired."
+                    },
+                    {
+                      "Name": "RequiresLegacyEncryption",
+                      "DisplayName": "Requires Legacy Encryption",
+                      "Required": false,
+                      "DependsOn": "",
+                      "Type": "Bool",
+                      "DefaultValue": "False",
+                      "Description": "Optional setting.  If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs.  Should be left not implemented or set to False for most instances."
                     }
                   ],
                     "EntryParameters": [],
@@ -291,6 +300,15 @@
                       "Type": "MultipleChoice",
                       "DefaultValue": "Apache HTTPD Restart,NGNIX Restart,HAProxy Restart,Envoy Proxy Restart",
                       "Description": "Select the command to be run after a Management Add or ODKG job executes.  Leave unselected if no command is desired."
+                    },
+                    {
+                      "Name": "RequiresLegacyEncryption",
+                      "DisplayName": "Requires Legacy Encryption",
+                      "Required": false,
+                      "DependsOn": "",
+                      "Type": "Bool",
+                      "DefaultValue": "False",
+                      "Description": "Optional setting.  If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs.  Should be left not implemented or set to False for most instances."
                     }
                   ],
                     "EntryParameters": [],
@@ -405,6 +423,15 @@
                       "Type": "Bool",
                       "DefaultValue": "True",
                       "Description": "Recommended to be set to the default value of 'Y'.  For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+                    },
+                    {
+                      "Name": "RequiresLegacyEncryption",
+                      "DisplayName": "Requires Legacy Encryption",
+                      "Required": false,
+                      "DependsOn": "",
+                      "Type": "Bool",
+                      "DefaultValue": "False",
+                      "Description": "Optional setting.  If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs.  Should be left not implemented or set to False for most instances."
                     }
                   ],
                     "EntryParameters": [],
@@ -528,6 +555,15 @@
                       "Type": "Bool",
                       "DefaultValue": "True",
                       "Description": "Recommended to be set to the default value of 'Y'.  For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+                    },
+                    {
+                      "Name": "RequiresLegacyEncryption",
+                      "DisplayName": "Requires Legacy Encryption",
+                      "Required": false,
+                      "DependsOn": "",
+                      "Type": "Bool",
+                      "DefaultValue": "False",
+                      "Description": "Optional setting.  If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs.  Should be left not implemented or set to False for most instances."
                     }
                   ],
                     "EntryParameters": [],
@@ -642,6 +678,15 @@
                       "Type": "Bool",
                       "DefaultValue": "True",
                       "Description": "Recommended to be set to the default value of 'Y'.  For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+                    },
+                    {
+                      "Name": "RequiresLegacyEncryption",
+                      "DisplayName": "Requires Legacy Encryption",
+                      "Required": false,
+                      "DependsOn": "",
+                      "Type": "Bool",
+                      "DefaultValue": "False",
+                      "Description": "Optional setting.  If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs.  Should be left not implemented or set to False for most instances."
                     }
                   ],
                     "EntryParameters": [],
@@ -765,6 +810,15 @@
                       "Type": "Bool",
                       "DefaultValue": "True",
                       "Description": "Recommended to be set to the default value of 'Y'.  For a detailed explanation of this setting, please refer to [Use Shell Commands Setting](#use-shell-commands-setting)"
+                    },
+                    {
+                      "Name": "RequiresLegacyEncryption",
+                      "DisplayName": "Requires Legacy Encryption",
+                      "Required": false,
+                      "DependsOn": "",
+                      "Type": "Bool",
+                      "DefaultValue": "False",
+                      "Description": "Optional setting.  If set to true, PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc and PkcsObjectIdentifiers.PbewithShaAnd40BitRC2Cbc algorithms will be used to create the underlying BouncyCastle Pkcs12Store used to feed the certificate store being managed during Management jobs.  Should be left not implemented or set to False for most instances."
                     }
                   ],
                     "EntryParameters": [],