Skip to content

internal(tlssettings tlsconfig): rework TlsSettings to carry PEM based objects #23146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

internal(tlssettings tlsconfig): rework TlsSettings to carry PEM based objects #23146

wants to merge 3 commits into from
+60 −65

Conversation

rf-ben
Copy link

@rf-ben rf-ben commented Jun 3, 2025

Summary

Modify TlsSettings to carry PEM files instead of PKCS12 for FIPS compatibility. Internal only, no breaking changes.

TlsSettings used a PKCS12 archive to store the TLS identity information. PKCS12 is not Federal Information Processing Standard (FIPS) compliant, and there is significant interest to use vector in such environments. Converting to and from PKCS12 does not work (PKCS12KDF is not compliant) and is best avoided. TlsSettings encapsulates this detail very well, and this change is thus internal to TlsSettings and it's initializer TlsConfig.

This change makes PEM based certs & keys the format stored in TlsSettings. For reverse compatibility, when a PKCS12 (DER) archive is presented in the configuration, the code will extract the components into PEM at load time. This conversion is not FIPS compliant and should be avoided there. In pratice, most use cases do not use FIPS, so this is perfectly fine to use.

Key changes:

  • IdentityStore now keeps a _name, cert, private key, and an optional list of ca certs
  • PKCS12 configuration will convert to IdentityStore on load
  • TlsSettings::identity() returns the IdentityStore instead of a PKCS12 archive. This avoids the need to convert to PCKS12 and thus avoids the FIPS incompatibility and it discourages conversion back & forth in the future.

Change Type

  • Bug fix
  • New feature
  • Non-functional (chore, refactoring, docs)
  • Performance
  • Internal, non-observable, avoid weak cryptographic algorithms

Is this a breaking change?

  • Yes
  • [X ] No

How did you test this PR?

Executed vector tests:
cargo test --all
./scripts/check_changelog_fragments.sh

Tested on a regular non-fips machine, and on a FIPS enabled kernel where we compiled vector to dynamically link to the system provided OpenSSL. Only the 'fips' and 'base' providers were configured to be available:

RUSTFLAGS="-C prefer-dynamic" OPENSSL_NO_VENDOR=1 OPENSSL_STATIC=0
cargo build -j8 --release --target x86_64-unknown-linux-gnu
--no-default-features --features target-x86_64-unknown-linux-gnu

Does this PR include user facing changes?

  • Yes. Please add a changelog fragment based on our guidelines.
  • [ X] No. A maintainer will apply the "no-changelog" label to this PR.

Notes

See issue:

@rf-ben
internal(tlssettings tlsconfig): rework TlsSettings and TlsConfig to …
c757406 
…use PEM files instead of PKCS12 for FIPS compatibility

TlsSettings used a PKCS12 archive to store the TLS identity information. PKCS12 is not
Federal Information Processing Standard (FIPS) compliant, and there is significant interest
to use vector in such environments.

This change makes PEM based certs & keys the format stored in TlsSettings. For compatibility
when a PKCS12 (DER) archive is presented in the configuration, the code will extract the
components into X509 at load time. This conversion is not FIPS compliant and should be avoided
there. In pratice, most use cases do not use FIPS, so this is perfectly fine to use.

This change was tested on a regular machine, and on a FIPS enabled kernel where we compiled
vector to dynamically link to the system provided OpenSSL. Only the 'fips' and 'base' providers
were configured to be available.

RUSTFLAGS="-C prefer-dynamic" OPENSSL_NO_VENDOR=1 OPENSSL_STATIC=0 \
    cargo build -j8 --release --target x86_64-unknown-linux-gnu \
    --no-default-features --features target-x86_64-unknown-linux-gnu

Key changes:
* IdentityStore now keeps a name, cert, private key, and an optional list of ca certs
* PKCS12 configuration will convert to IdentityStore on load
* TlsSettings::identity() returns the IdentityStore instead of a PKCS12 archive. This
    avoids the need to convert to PCKS12 and thus avoids the FIPS incompatibility for
    future uses
@rf-ben rf-ben requested a review from a team as a code owner June 3, 2025 08:00
@bits-bot
Copy link

bits-bot commented Jun 3, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the domain: core Anything related to core crates i.e. vector-core, core-common, etc label Jun 3, 2025
@rf-ben rf-ben mentioned this pull request Jun 3, 2025
Open
@thomasqueirozb
Copy link
Contributor

thomasqueirozb commented Jun 12, 2025
edited
Loading

Formatting needs to be fixed. Run cargo fmt

PR title also need to be fixed, check the PR Title Semantic Check / Check Semantic PR (pull_request) job for more information

Missing changelog and clippy is complaining too (everything is detailed in the actions logs)

@thomasqueirozb thomasqueirozb added the meta: awaiting author Pull requests that are awaiting their author. label Jun 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
domain: core Anything related to core crates i.e. vector-core, core-common, etc meta: awaiting author Pull requests that are awaiting their author.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rf-ben @bits-bot @thomasqueirozb @pront