Hello,

DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.

This fixes an forgotten TODO in ipa-ods-exporter.

-- 
Petr^2 Spacek
From 28e242b55f4250a8f95841e61762fbc7200e73d2 Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Tue, 1 Sep 2015 18:16:06 +0200
Subject: [PATCH] DNSSEC: Wrap master key using RSA OAEP instead of old PKCS
 v1.5.

---
 daemons/dnssec/ipa-ods-exporter | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 9660cc784c4a56d1644eaa66b39061f7bfbad052..742788c3572d1f21ce7b043cb548defdd704be97 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -54,8 +54,7 @@ KEYTAB_FB = paths.IPA_ODS_EXPORTER_KEYTAB
 ODS_SE_MAXLINE = 1024  # from ODS common/config.h
 ODS_DB_LOCK_PATH = "%s%s" % (paths.OPENDNSSEC_KASP_DB, '.our_lock')
 
-# TODO: MECH_RSA_OAEP
-SECRETKEY_WRAPPING_MECH = 'rsaPkcs'
+SECRETKEY_WRAPPING_MECH = 'rsaPkcsOaep'
 PRIVKEY_WRAPPING_MECH = 'aesKeyWrapPad'
 
 # DNSKEY flag constants
@@ -295,7 +294,8 @@ def master2ldap_master_keys_sync(log, ldapkeydb, localhsm):
                 hexlify(mkey_id), hexlify(replica_key_id)))
             replica_key = localhsm.replica_pubkeys_wrap[replica_key_id]
             keydata = localhsm.p11.export_wrapped_key(mkey_local.handle,
-                    replica_key.handle, _ipap11helper.MECH_RSA_PKCS)
+                    replica_key.handle,
+                    wrappingmech_name2id[SECRETKEY_WRAPPING_MECH])
             mkey_ldap.add_wrapped_data(keydata, SECRETKEY_WRAPPING_MECH,
                     replica_key_id)
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to