pfSense

I merged changes which move from using the native PHP function to using OpenSSL directly so we can control the algorithms involved.

Exported archives now use AES-256 and SHA256:

$ openssl pkcs12 -info -in jimp.p12 -passin pass:abc123 -passout pass:abc123 
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
[...]
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

We could also consider increasing the iterations if need be.

The new files import OK into pfSense (current snapshots, 22.05, and 2.6.0) and a current Windows 10 at least, but apparently macOS is not yet compatible with the higher encryption, nor are older versions of Windows. macOS fails to import the P12 into its cert manager, though it can read them at the CLI with the openssl command.

The older versions of Windows aren't a significant concern, but macOS is, so it looks like we might need an option to weaken the security down to 3DES/SHA1 while defaulting to stronger encryption. It's OK to only make this available from the cert edit screen for now as both macOS and Windows need the export password defined anyhow.

Added an option to change the encryption level to high (AES-256+SHA256), low (3DES+SHA1), and legacy (RC2-40 + SHA1). Most things non-macOS are good with "high", and macOS is happy with "low". Anything even older can use "legacy".

That's a good enough test in addition to all the testing I've done. It's passed and functional testing and inspection of the results I've done thus far.

I'll close this out, we can always revisit if someone has an issue.