From 7bcdc22d4e08739837039027f7c939a7469b8110 Mon Sep 17 00:00:00 2001

From: Petr Spacek <pspacek@redhat.com>

Date: Tue, 1 Sep 2015 18:16:06 +0200

Subject: [PATCH] DNSSEC: Wrap master key using RSA OAEP instead of old PKCS

 v1.5.

https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

 daemons/dnssec/ipa-ods-exporter | 6 +++---

 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter

index e0c88936d5983297483c504d422c8d1ee483b6cf..f30a2253a713d857aa4e7566e52a0a45f7bd50c2 100755

--- a/daemons/dnssec/ipa-ods-exporter

+++ b/daemons/dnssec/ipa-ods-exporter

@@ -53,8 +53,7 @@ KEYTAB_FB = paths.IPA_ODS_EXPORTER_KEYTAB

 ODS_SE_MAXLINE = 1024  # from ODS common/config.h

 ODS_DB_LOCK_PATH = "%s%s" % (paths.OPENDNSSEC_KASP_DB, '.our_lock')

-# TODO: MECH_RSA_OAEP

-SECRETKEY_WRAPPING_MECH = 'rsaPkcs'

+SECRETKEY_WRAPPING_MECH = 'rsaPkcsOaep'

 PRIVKEY_WRAPPING_MECH = 'aesKeyWrapPad'

 # DNSKEY flag constants

@@ -294,7 +293,8 @@ def master2ldap_master_keys_sync(log, ldapkeydb, localhsm):

                 hexlify(mkey_id), hexlify(replica_key_id)))

             replica_key = localhsm.replica_pubkeys_wrap[replica_key_id]

             keydata = localhsm.p11.export_wrapped_key(mkey_local.handle,

-                    replica_key.handle, _ipap11helper.MECH_RSA_PKCS)

+                    replica_key.handle,

+                    wrappingmech_name2id[SECRETKEY_WRAPPING_MECH])

             mkey_ldap.add_wrapped_data(keydata, SECRETKEY_WRAPPING_MECH,

                     replica_key_id)

-- 

2.5.1