Support for creating PKCS12 with modern encryption

[pkininja]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The "step certificate p12" command creates pcks12 files encrypted with RC2-40-CBC. This is outdated and insecure encryption. There does not appear to be a way to select different encryption.

Modern versions of OpenSSL will not open the file unless the "-legacy" flag is appended. The default encryption there for PKCS12 files appears to be AES-256-CBC with PBKDF2 algorithm.

I don't think this is a "vulnerability" in the step cli per se. The issue is in the files the step cli creates.

Tested on Windows 10 with
Smallstep CLI/0.23.4 (windows/amd64)
Release Date: 2023-0310T00:007:02Z

Why is this needed?

The step cli is a great modern utility, it should create files up-to-date with modern standards.

[maraino]

For context, it doesn't look like software.sslmate.com/src/go-pkcs12 supports encrypting PKCS#12 files using AES-256-CBC.

[hslatman]

@maraino a PR was opened adding support for exactly this: SSLMate/go-pkcs12#47, which builds on SSLMate/go-pkcs12#39.