PKCS12 modern defaults

[rbuffat]

Not sure if this is of relevance.

While investigating #7065 I noticed that creating a PKCS12 truststore using openssl uses different parameters compared to serialization.BestAvailableEncryption of cryptography:

OpenSSL 1.1.1n 15 Mar 2022:

MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048

cryptography 37.0.0 dev (serialization.BestAvailableEncryption):

MAC: sha1, Iteration 1
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 20000

keytool java-18-openjdk 18.0.1.u10:

MAC: sha256, Iteration 10000
MAC length: 32, salt length: 20
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256

keytool java-8-openjdk 8.332.u04:

MAC: sha1, Iteration 100000
MAC length: 20, salt length: 20
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000

Relevant code:

cryptography/src/cryptography/hazmat/backends/openssl/backend.py

Lines 2202 to 2212 in d295365

	# PKCS12 encryption is hopeless trash and can never be fixed.
	# This is the least terrible option.
	nid_cert = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC
	nid_key = self._lib.NID_pbe_WithSHA1And3_Key_TripleDES_CBC
	# At least we can set this higher than OpenSSL's default
	pkcs12_iter = 20000
	# mac_iter chosen for compatibility reasons, see:
	# https://www.openssl.org/docs/man1.1.1/man3/PKCS12_create.html
	# Did we mention how lousy PKCS12 encryption is?
	mac_iter = 1
	password = encryption_algorithm.password

Commit that changed defaults in OpenSSL 3.0.2:
openssl/openssl@762970b

[reaperhulk]

This is covered by #7043, although we appreciate the additional data 😄 Closing in favor of that issue, but we can continue discussion there. In general we're in favor of ratcheting up the encryption quality but we need to do some work to enable it.