URL: https://github.com/freeipa/freeipa/pull/737 Author: tiran Title: #737: Vault: Explicitly default to 3DES CBC Action: opened
PR body: """ The server-side plugin for IPA Vault relied on the fact that the default oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag 10.4 has changed the default from 3DES to AES. Pass the correct algorithm OID to KeyClient.archive_encrypted_data(). Closes: https://pagure.io/freeipa/issue/6899 Signed-off-by: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/737/head:pr737 git checkout pr737
From 5e764ded04de08fb576ad503fea78fe9595b9b71 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Wed, 26 Apr 2017 18:15:40 +0200 Subject: [PATCH] Vault: Explicitly default to 3DES CBC The server-side plugin for IPA Vault relied on the fact that the default oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag 10.4 has changed the default from 3DES to AES. Pass the correct algorithm OID to KeyClient.archive_encrypted_data(). Closes: https://pagure.io/freeipa/issue/6899 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/plugins/vault.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py index 57e1ed7..d46aca8 100644 --- a/ipaserver/plugins/vault.py +++ b/ipaserver/plugins/vault.py @@ -38,6 +38,14 @@ if api.env.in_server: import pki.account import pki.key + # pylint: disable=no-member + try: + # pki >= 10.4.0 + from pki.crypto import DES_EDE3_CBC_OID + except ImportError: + DES_EDE3_CBC_OID = pki.key.KeyClient.DES_EDE3_CBC_OID + # pylint: enable=no-member + if six.PY3: unicode = str @@ -1059,8 +1067,8 @@ def execute(self, *args, **options): pki.key.KeyClient.PASS_PHRASE_TYPE, wrapped_vault_data, wrapped_session_key, - None, - nonce, + algorithm_oid=DES_EDE3_CBC_OID, + nonce_iv=nonce, ) kra_account.logout()
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code