The ipa vault commands now load the public keys in order to verify them.
The validation also prevents a user from accidentally sending her
private keys to the server. The patch fixes #5142 and #5142.

$ ./ipa vault-add AsymmetricVault --desc "Asymmetric vault" --type
asymmetric --public-key-file mykey.pem
ipa: ERROR: invalid 'ipavaultpublickey': Invalid or unsupported vault
public key: Could not unserialize key data.

https://fedorahosted.org/freeipa/ticket/5142
https://fedorahosted.org/freeipa/ticket/5143
From fd380c4539fdd18a7d10786230c15a259b097af6 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 23 Jul 2015 20:30:21 +0200
Subject: [PATCH] Asymmetric vault: validate public key in client

The ipa vault commands now load and validate the public key for
asymmetric encryption, before sending it to the server. This prevents
invalid vaults and prohibits accidental exposure of private key
material.

https://fedorahosted.org/freeipa/ticket/5142
https://fedorahosted.org/freeipa/ticket/5143
---
 ipalib/plugins/vault.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 81197f9328c7ed890fa336f464bfcda475ac6189..5d493ae183da48412a38e7074b88ec0ab4402311 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -622,6 +622,19 @@ class vault_add(PKQuery, Local):
                     name='ipavaultpublickey',
                     error=_('Missing vault public key'))
 
+            # validate public key and prevent users from accidentally
+            # sending a private key to the server.
+            try:
+                load_pem_public_key(
+                    data=public_key,
+                    backend=default_backend()
+                )
+            except ValueError as e:
+                raise errors.ValidationError(
+                    name='ipavaultpublickey',
+                    error=_('Invalid or unsupported vault public key: %s') % e,
+                )
+
         # create vault
         response = self.api.Command.vault_add_internal(*args, **options)
 
-- 
2.4.3

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to