URL: https://github.com/freeipa/freeipa/pull/737
Author: tiran
 Title: #737: Vault: Explicitly default to 3DES CBC
Action: opened

PR body:
"""
The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().

Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/737/head:pr737
git checkout pr737
From 5e764ded04de08fb576ad503fea78fe9595b9b71 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 26 Apr 2017 18:15:40 +0200
Subject: [PATCH] Vault: Explicitly default to 3DES CBC

The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().

Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipaserver/plugins/vault.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
index 57e1ed7..d46aca8 100644
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@@ -38,6 +38,14 @@
 if api.env.in_server:
     import pki.account
     import pki.key
+    # pylint: disable=no-member
+    try:
+        # pki >= 10.4.0
+        from pki.crypto import DES_EDE3_CBC_OID
+    except ImportError:
+        DES_EDE3_CBC_OID = pki.key.KeyClient.DES_EDE3_CBC_OID
+    # pylint: enable=no-member
+
 
 if six.PY3:
     unicode = str
@@ -1059,8 +1067,8 @@ def execute(self, *args, **options):
                 pki.key.KeyClient.PASS_PHRASE_TYPE,
                 wrapped_vault_data,
                 wrapped_session_key,
-                None,
-                nonce,
+                algorithm_oid=DES_EDE3_CBC_OID,
+                nonce_iv=nonce,
             )
 
             kra_account.logout()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to