rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0034-Support-AES-for-KRA-archival-wrapping.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   4db7c247f9296eb06900cd0c8d680e7f12ca5557
  2.   SOURCES
  3.   0034-Support-AES-for-KRA-archival-wrapping.patch
Blob History Raw
bb0ded 
From 895e99b6843c2fa2274acab824607c33c1a560a4 Mon Sep 17 00:00:00 2001
bb0ded 
From: Christian Heimes <cheimes@redhat.com>
bb0ded 
Date: Mon, 7 Oct 2019 14:13:03 +0200
bb0ded 
Subject: [PATCH] Support AES for KRA archival wrapping
bb0ded
bb0ded 
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping
bb0ded 
algorithm since the plugin was introduced. Allow use of AES-128-CBC as
bb0ded 
alternative wrapping algorithm for transport of secrets.
bb0ded
bb0ded 
Fixes: https://pagure.io/freeipa/issue/6524
bb0ded
bb0ded 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
bb0ded 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
bb0ded 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
bb0ded 
---
bb0ded 
 API.txt                    |   7 +-
bb0ded 
 VERSION.m4                 |   5 +-
bb0ded 
 ipaclient/plugins/vault.py | 155 +++++++++++++++++++++++++------------
bb0ded 
 ipalib/capabilities.py     |   4 +
bb0ded 
 ipalib/constants.py        |  12 +++
bb0ded 
 ipaserver/plugins/vault.py |  61 ++++++++++++---
bb0ded 
 6 files changed, 180 insertions(+), 64 deletions(-)
bb0ded
bb0ded 
diff --git a/API.txt b/API.txt
bb0ded 
index 576fa7c51e31886b257ccf176aaf232c0f2ea5ee..f95f2c8457e39f2268386a8a2336952d3285e008 100644
bb0ded 
--- a/API.txt
bb0ded 
+++ b/API.txt
bb0ded 
@@ -6548,7 +6548,7 @@ output: Output('completed', type=[<type 'int'>])
bb0ded 
 output: Output('failed', type=[<type 'dict'>])
bb0ded 
 output: Entry('result')
bb0ded 
 command: vault_archive_internal/1
bb0ded 
-args: 1,9,3
bb0ded 
+args: 1,10,3
bb0ded 
 arg: Str('cn', cli_name='name')
bb0ded 
 option: Flag('all', autofill=True, cli_name='all', default=False)
bb0ded 
 option: Bytes('nonce')
bb0ded 
@@ -6559,6 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
bb0ded 
 option: Str('username?', cli_name='user')
bb0ded 
 option: Bytes('vault_data')
bb0ded 
 option: Str('version?')
bb0ded 
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
bb0ded 
 output: Entry('result')
bb0ded 
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
bb0ded 
 output: PrimaryKey('value')
bb0ded 
@@ -6649,7 +6650,7 @@ output: Output('completed', type=[<type 'int'>])
bb0ded 
 output: Output('failed', type=[<type 'dict'>])
bb0ded 
 output: Entry('result')
bb0ded 
 command: vault_retrieve_internal/1
bb0ded 
-args: 1,7,3
bb0ded 
+args: 1,8,3
bb0ded 
 arg: Str('cn', cli_name='name')
bb0ded 
 option: Flag('all', autofill=True, cli_name='all', default=False)
bb0ded 
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
bb0ded 
@@ -6658,6 +6659,7 @@ option: Bytes('session_key')
bb0ded 
 option: Flag('shared?', autofill=True, default=False)
bb0ded 
 option: Str('username?', cli_name='user')
bb0ded 
 option: Str('version?')
bb0ded 
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
bb0ded 
 output: Entry('result')
bb0ded 
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
bb0ded 
 output: PrimaryKey('value')
bb0ded 
@@ -7327,6 +7329,7 @@ default: vaultcontainer_del/1
bb0ded 
 default: vaultcontainer_remove_owner/1
bb0ded 
 default: vaultcontainer_show/1
bb0ded 
 default: whoami/1
bb0ded 
+capability: vault_aes_keywrap 2.246
bb0ded 
 capability: messages 2.52
bb0ded 
 capability: optional_uid_params 2.54
bb0ded 
 capability: permissions2 2.69
bb0ded 
diff --git a/VERSION.m4 b/VERSION.m4
bb0ded 
index 70aaff4c9b9514a5937eae60074376e1a592464e..997ac35e74fa6f2a96da027ed3ce93cf809b62a7 100644
bb0ded 
--- a/VERSION.m4
bb0ded 
+++ b/VERSION.m4
bb0ded 
@@ -86,9 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
bb0ded 
 #                                                      #
bb0ded 
 ########################################################
bb0ded 
 define(IPA_API_VERSION_MAJOR, 2)
bb0ded 
-# Last change: add enable_sid to config
bb0ded 
-define(IPA_API_VERSION_MINOR, 245)
bb0ded 
-
bb0ded 
+# Last change: Add wrapping algorithm to vault archive/retrieve
bb0ded 
+define(IPA_API_VERSION_MINOR, 246)
bb0ded
bb0ded 
 ########################################################
bb0ded 
 # Following values are auto-generated from values above
bb0ded 
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
bb0ded 
index d3a1d370efaccc7e5b0088bd3df341d76884d509..115171c7768d44251c17d0bcdac9c37b3a25db99 100644
bb0ded 
--- a/ipaclient/plugins/vault.py
bb0ded 
+++ b/ipaclient/plugins/vault.py
bb0ded 
@@ -25,11 +25,12 @@ import io
bb0ded 
 import json
bb0ded 
 import logging
bb0ded 
 import os
bb0ded 
+import ssl
bb0ded 
 import tempfile
bb0ded
bb0ded 
 from cryptography.fernet import Fernet, InvalidToken
bb0ded 
 from cryptography.hazmat.backends import default_backend
bb0ded 
-from cryptography.hazmat.primitives import hashes, serialization
bb0ded 
+from cryptography.hazmat.primitives import hashes
bb0ded 
 from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
bb0ded 
 from cryptography.hazmat.primitives.asymmetric import padding
bb0ded 
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
bb0ded 
@@ -39,7 +40,7 @@ from cryptography.hazmat.primitives.serialization import (
bb0ded
bb0ded 
 from ipaclient.frontend import MethodOverride
bb0ded 
 from ipalib import x509
bb0ded 
-from ipalib.constants import USER_CACHE_PATH
bb0ded 
+from ipalib import constants
bb0ded 
 from ipalib.frontend import Local, Method, Object
bb0ded 
 from ipalib.util import classproperty
bb0ded 
 from ipalib import api, errors
bb0ded 
@@ -546,42 +547,49 @@ class vault_mod(Local):
bb0ded 
         return response
bb0ded
bb0ded
bb0ded 
-class _TransportCertCache:
bb0ded 
+class _KraConfigCache:
bb0ded 
+    """The KRA config cache stores vaultconfig-show result.
bb0ded 
+    """
bb0ded 
     def __init__(self):
bb0ded 
         self._dirname = os.path.join(
bb0ded 
-                USER_CACHE_PATH, 'ipa', 'kra-transport-certs'
bb0ded 
+            constants.USER_CACHE_PATH, 'ipa', 'kra-config'
bb0ded 
         )
bb0ded
bb0ded 
     def _get_filename(self, domain):
bb0ded 
-        basename = DNSName(domain).ToASCII() + '.pem'
bb0ded 
+        basename = DNSName(domain).ToASCII() + '.json'
bb0ded 
         return os.path.join(self._dirname, basename)
bb0ded
bb0ded 
-    def load_cert(self, domain):
bb0ded 
-        """Load cert from cache
bb0ded 
+    def load(self, domain):
bb0ded 
+        """Load config from cache
bb0ded
bb0ded 
         :param domain: IPA domain
bb0ded 
-        :return: cryptography.x509.Certificate or None
bb0ded 
+        :return: dict or None
bb0ded 
         """
bb0ded 
         filename = self._get_filename(domain)
bb0ded 
         try:
bb0ded 
             try:
bb0ded 
-                return x509.load_certificate_from_file(filename)
bb0ded 
-            except EnvironmentError as e:
bb0ded 
+                with open(filename) as f:
bb0ded 
+                    return json.load(f)
bb0ded 
+            except OSError as e:
bb0ded 
                 if e.errno != errno.ENOENT:
bb0ded 
                     raise
bb0ded 
         except Exception:
bb0ded 
             logger.warning("Failed to load %s", filename, exc_info=True)
bb0ded 
         return None
bb0ded
bb0ded 
-    def store_cert(self, domain, transport_cert):
bb0ded 
-        """Store a new cert or override existing cert
bb0ded 
+    def store(self, domain, response):
bb0ded 
+        """Store config in cache
bb0ded
bb0ded 
         :param domain: IPA domain
bb0ded 
-        :param transport_cert: cryptography.x509.Certificate
bb0ded 
-        :return: True if cert was stored successfully
bb0ded 
+        :param config: ipa vaultconfig-show response
bb0ded 
+        :return: True if config was stored successfully
bb0ded 
         """
bb0ded 
+        config = response['result'].copy()
bb0ded 
+        # store certificate as PEM-encoded ASCII
bb0ded 
+        config['transport_cert'] = ssl.DER_cert_to_PEM_cert(
bb0ded 
+            config['transport_cert']
bb0ded 
+        )
bb0ded 
         filename = self._get_filename(domain)
bb0ded 
-        pem = transport_cert.public_bytes(serialization.Encoding.PEM)
bb0ded 
         try:
bb0ded 
             try:
bb0ded 
                 os.makedirs(self._dirname)
bb0ded 
@@ -589,9 +597,9 @@ class _TransportCertCache:
bb0ded 
                 if e.errno != errno.EEXIST:
bb0ded 
                     raise
bb0ded 
             with tempfile.NamedTemporaryFile(dir=self._dirname, delete=False,
bb0ded 
-                                             mode='wb') as f:
bb0ded 
+                                             mode='w') as f:
bb0ded 
                 try:
bb0ded 
-                    f.write(pem)
bb0ded 
+                    json.dump(config, f)
bb0ded 
                     ipautil.flush_sync(f)
bb0ded 
                     f.close()
bb0ded 
                     os.rename(f.name, filename)
bb0ded 
@@ -604,8 +612,8 @@ class _TransportCertCache:
bb0ded 
         else:
bb0ded 
             return True
bb0ded
bb0ded 
-    def remove_cert(self, domain):
bb0ded 
-        """Remove a cert from cache, ignores errors
bb0ded 
+    def remove(self, domain):
bb0ded 
+        """Remove a config from cache, ignores errors
bb0ded
bb0ded 
         :param domain: IPA domain
bb0ded 
         :return: True if cert was found and removed
bb0ded 
@@ -621,7 +629,7 @@ class _TransportCertCache:
bb0ded 
             return True
bb0ded
bb0ded
bb0ded 
-_transport_cert_cache = _TransportCertCache()
bb0ded 
+_kra_config_cache = _KraConfigCache()
bb0ded
bb0ded
bb0ded 
 @register(override=True, no_fail=True)
bb0ded 
@@ -636,13 +644,8 @@ class vaultconfig_show(MethodOverride):
bb0ded
bb0ded 
         response = super(vaultconfig_show, self).forward(*args, **options)
bb0ded
bb0ded 
-        # cache transport certificate
bb0ded 
-        transport_cert = x509.load_der_x509_certificate(
bb0ded 
-                response['result']['transport_cert'])
bb0ded 
-
bb0ded 
-        _transport_cert_cache.store_cert(
bb0ded 
-            self.api.env.domain, transport_cert
bb0ded 
-        )
bb0ded 
+        # cache config
bb0ded 
+        _kra_config_cache.store(self.api.env.domain, response)
bb0ded
bb0ded 
         if file:
bb0ded 
             with open(file, 'wb') as f:
bb0ded 
@@ -652,10 +655,54 @@ class vaultconfig_show(MethodOverride):
bb0ded
bb0ded
bb0ded 
 class ModVaultData(Local):
bb0ded 
-    def _generate_session_key(self):
bb0ded 
-        key_length = max(algorithms.TripleDES.key_sizes)
bb0ded 
-        algo = algorithms.TripleDES(os.urandom(key_length // 8))
bb0ded 
-        return algo
bb0ded 
+    def _generate_session_key(self, name):
bb0ded 
+        if name not in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
bb0ded 
+            msg = _("{algo} is not a supported vault wrapping algorithm")
bb0ded 
+            raise errors.ValidationError(msg.format(algo=repr(name)))
bb0ded 
+        if name == constants.VAULT_WRAPPING_AES128_CBC:
bb0ded 
+            return algorithms.AES(os.urandom(128 // 8))
bb0ded 
+        elif name == constants.VAULT_WRAPPING_3DES:
bb0ded 
+            return algorithms.TripleDES(os.urandom(196 // 8))
bb0ded 
+        else:
bb0ded 
+            # unreachable
bb0ded 
+            raise ValueError(name)
bb0ded 
+
bb0ded 
+    def _get_vaultconfig(self, force_refresh=False):
bb0ded 
+        config = None
bb0ded 
+        if not force_refresh:
bb0ded 
+            config = _kra_config_cache.load(self.api.env.domain)
bb0ded 
+        if config is None:
bb0ded 
+            # vaultconfig_show also caches data
bb0ded 
+            response = self.api.Command.vaultconfig_show()
bb0ded 
+            config = response['result']
bb0ded 
+            transport_cert = x509.load_der_x509_certificate(
bb0ded 
+                config['transport_cert']
bb0ded 
+            )
bb0ded 
+        else:
bb0ded 
+            # cached JSON uses PEM-encoded ASCII string
bb0ded 
+            transport_cert = x509.load_pem_x509_certificate(
bb0ded 
+                config['transport_cert'].encode('ascii')
bb0ded 
+            )
bb0ded 
+
bb0ded 
+        default_algo = config.get('wrapping_default_algorithm')
bb0ded 
+        if default_algo is None:
bb0ded 
+            # old server
bb0ded 
+            wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC
bb0ded 
+        elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
bb0ded 
+            # try to use server default
bb0ded 
+            wrapping_algo = default_algo
bb0ded 
+        else:
bb0ded 
+            # prefer server's sorting order
bb0ded 
+            for algo in config['wrapping_supported_algorithms']:
bb0ded 
+                if algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
bb0ded 
+                    wrapping_algo = algo
bb0ded 
+                    break
bb0ded 
+            else:
bb0ded 
+                raise errors.ValidationError(
bb0ded 
+                    "No overlapping wrapping algorithm between server and "
bb0ded 
+                    "client."
bb0ded 
+                )
bb0ded 
+        return transport_cert, wrapping_algo
bb0ded
bb0ded 
     def _do_internal(self, algo, transport_cert, raise_unexpected,
bb0ded 
                      *args, **options):
bb0ded 
@@ -675,29 +722,23 @@ class ModVaultData(Local):
bb0ded 
         except (errors.InternalError,
bb0ded 
                 errors.ExecutionError,
bb0ded 
                 errors.GenericError):
bb0ded 
-            _transport_cert_cache.remove_cert(self.api.env.domain)
bb0ded 
+            _kra_config_cache.remove(self.api.env.domain)
bb0ded 
             if raise_unexpected:
bb0ded 
                 raise
bb0ded 
         return None
bb0ded
bb0ded 
-    def internal(self, algo, *args, **options):
bb0ded 
+    def internal(self, algo, transport_cert, *args, **options):
bb0ded 
         """
bb0ded 
         Calls the internal counterpart of the command.
bb0ded 
         """
bb0ded 
-        domain = self.api.env.domain
bb0ded 
-
bb0ded 
         # try call with cached transport certificate
bb0ded 
-        transport_cert = _transport_cert_cache.load_cert(domain)
bb0ded 
-        if transport_cert is not None:
bb0ded 
-            result = self._do_internal(algo, transport_cert, False,
bb0ded 
+        result = self._do_internal(algo, transport_cert, False,
bb0ded 
                                        *args, **options)
bb0ded 
-            if result is not None:
bb0ded 
-                return result
bb0ded 
+        if result is not None:
bb0ded 
+            return result
bb0ded
bb0ded 
         # retrieve transport certificate (cached by vaultconfig_show)
bb0ded 
-        response = self.api.Command.vaultconfig_show()
bb0ded 
-        transport_cert = x509.load_der_x509_certificate(
bb0ded 
-            response['result']['transport_cert'])
bb0ded 
+        transport_cert = self._get_vaultconfig(force_refresh=True)[0]
bb0ded 
         # call with the retrieved transport certificate
bb0ded 
         return self._do_internal(algo, transport_cert, True,
bb0ded 
                                  *args, **options)
bb0ded 
@@ -777,7 +818,7 @@ class vault_archive(ModVaultData):
bb0ded 
     def _wrap_data(self, algo, json_vault_data):
bb0ded 
         """Encrypt data with wrapped session key and transport cert
bb0ded
bb0ded 
-        :param bytes algo: wrapping algorithm instance
bb0ded 
+        :param algo: wrapping algorithm instance
bb0ded 
         :param bytes json_vault_data: dumped vault data
bb0ded 
         :return:
bb0ded 
         """
bb0ded 
@@ -929,15 +970,24 @@ class vault_archive(ModVaultData):
bb0ded
bb0ded 
         json_vault_data = json.dumps(vault_data).encode('utf-8')
bb0ded
bb0ded 
+        # get config
bb0ded 
+        transport_cert, wrapping_algo = self._get_vaultconfig()
bb0ded 
+        # let options override wrapping algo
bb0ded 
+        # For backwards compatibility do not send old legacy wrapping algo
bb0ded 
+        # to server. Only send the option when non-3DES is used.
bb0ded 
+        wrapping_algo = options.pop('wrapping_algo', wrapping_algo)
bb0ded 
+        if wrapping_algo != constants.VAULT_WRAPPING_3DES:
bb0ded 
+            options['wrapping_algo'] = wrapping_algo
bb0ded 
+
bb0ded 
         # generate session key
bb0ded 
-        algo = self._generate_session_key()
bb0ded 
+        algo = self._generate_session_key(wrapping_algo)
bb0ded 
         # wrap vault data
bb0ded 
         nonce, wrapped_vault_data = self._wrap_data(algo, json_vault_data)
bb0ded 
         options.update(
bb0ded 
             nonce=nonce,
bb0ded 
             vault_data=wrapped_vault_data
bb0ded 
         )
bb0ded 
-        return self.internal(algo, *args, **options)
bb0ded 
+        return self.internal(algo, transport_cert, *args, **options)
bb0ded
bb0ded
bb0ded 
 @register(no_fail=True)
bb0ded 
@@ -1061,10 +1111,19 @@ class vault_retrieve(ModVaultData):
bb0ded 
         vault = self.api.Command.vault_show(*args, **options)['result']
bb0ded 
         vault_type = vault['ipavaulttype'][0]
bb0ded
bb0ded 
+        # get config
bb0ded 
+        transport_cert, wrapping_algo = self._get_vaultconfig()
bb0ded 
+        # let options override wrapping algo
bb0ded 
+        # For backwards compatibility do not send old legacy wrapping algo
bb0ded 
+        # to server. Only send the option when non-3DES is used.
bb0ded 
+        wrapping_algo = options.pop('wrapping_algo', wrapping_algo)
bb0ded 
+        if wrapping_algo != constants.VAULT_WRAPPING_3DES:
bb0ded 
+            options['wrapping_algo'] = wrapping_algo
bb0ded 
+
bb0ded 
         # generate session key
bb0ded 
-        algo = self._generate_session_key()
bb0ded 
+        algo = self._generate_session_key(wrapping_algo)
bb0ded 
         # send retrieval request to server
bb0ded 
-        response = self.internal(algo, *args, **options)
bb0ded 
+        response = self.internal(algo, transport_cert, *args, **options)
bb0ded 
         # unwrap data with session key
bb0ded 
         vault_data = self._unwrap_response(
bb0ded 
             algo,
bb0ded 
diff --git a/ipalib/capabilities.py b/ipalib/capabilities.py
bb0ded 
index 55b84aa6bc73d583e7bd5d03d2f4f1cc5c8e7c0b..4d8ae408bf67c280d27ce494baa9db9aaff0cd69 100644
bb0ded 
--- a/ipalib/capabilities.py
bb0ded 
+++ b/ipalib/capabilities.py
bb0ded 
@@ -54,6 +54,10 @@ capabilities = dict(
bb0ded
bb0ded 
     # dns_name_values: dnsnames as objects
bb0ded 
     dns_name_values=u'2.88',
bb0ded 
+
bb0ded 
+    # vault supports aes key wrapping
bb0ded 
+    vault_aes_keywrap='2.246'
bb0ded 
+
bb0ded 
 )
bb0ded
bb0ded
bb0ded 
diff --git a/ipalib/constants.py b/ipalib/constants.py
bb0ded 
index 9f19b0f9941ba5068f1e6c218092e3b76fdc7599..11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a 100644
bb0ded 
--- a/ipalib/constants.py
bb0ded 
+++ b/ipalib/constants.py
bb0ded 
@@ -374,3 +374,15 @@ KRA_TRACKING_REQS = {
bb0ded 
 }
bb0ded
bb0ded 
 ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
bb0ded 
+
bb0ded 
+# vault data wrapping algorithms
bb0ded 
+VAULT_WRAPPING_3DES = 'des-ede3-cbc'
bb0ded 
+VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
bb0ded 
+VAULT_WRAPPING_SUPPORTED_ALGOS = (
bb0ded 
+    # old default was 3DES
bb0ded 
+    VAULT_WRAPPING_3DES,
bb0ded 
+    # supported since pki-kra >= 10.4
bb0ded 
+    VAULT_WRAPPING_AES128_CBC,
bb0ded 
+)
bb0ded 
+# 3DES for backwards compatibility
bb0ded 
+VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
bb0ded 
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
bb0ded 
index aebac7dff7bb9d183c6012cc685577d476e18c4e..4d40f66c6a793a831e91c5fe25c8b5277cbd1972 100644
bb0ded 
--- a/ipaserver/plugins/vault.py
bb0ded 
+++ b/ipaserver/plugins/vault.py
bb0ded 
@@ -23,6 +23,10 @@ from ipalib.frontend import Command, Object
bb0ded 
 from ipalib import api, errors
bb0ded 
 from ipalib import Bytes, Flag, Str, StrEnum
bb0ded 
 from ipalib import output
bb0ded 
+from ipalib.constants import (
bb0ded 
+    VAULT_WRAPPING_SUPPORTED_ALGOS, VAULT_WRAPPING_DEFAULT_ALGO,
bb0ded 
+    VAULT_WRAPPING_3DES, VAULT_WRAPPING_AES128_CBC,
bb0ded 
+)
bb0ded 
 from ipalib.crud import PKQuery, Retrieve
bb0ded 
 from ipalib.parameters import Principal
bb0ded 
 from ipalib.plugable import Registry
bb0ded 
@@ -39,14 +43,8 @@ from ipaserver.masters import is_service_enabled
bb0ded 
 if api.env.in_server:
bb0ded 
     import pki.account
bb0ded 
     import pki.key
bb0ded 
-    # pylint: disable=no-member
bb0ded 
-    try:
bb0ded 
-        # pki >= 10.4.0
bb0ded 
-        from pki.crypto import DES_EDE3_CBC_OID
bb0ded 
-    except ImportError:
bb0ded 
-        DES_EDE3_CBC_OID = pki.key.KeyClient.DES_EDE3_CBC_OID
bb0ded 
-    # pylint: enable=no-member
bb0ded 
-
bb0ded 
+    from pki.crypto import DES_EDE3_CBC_OID
bb0ded 
+    from pki.crypto import AES_128_CBC_OID
bb0ded
bb0ded 
 if six.PY3:
bb0ded 
     unicode = str
bb0ded 
@@ -652,6 +652,20 @@ class vault(LDAPObject):
bb0ded 
         ),
bb0ded 
     )
bb0ded
bb0ded 
+    def _translate_algorithm(self, name):
bb0ded 
+        if name is None:
bb0ded 
+            name = VAULT_WRAPPING_DEFAULT_ALGO
bb0ded 
+        if name not in VAULT_WRAPPING_SUPPORTED_ALGOS:
bb0ded 
+            msg = _("{algo} is not a supported vault wrapping algorithm")
bb0ded 
+            raise errors.ValidationError(msg.format(algo=name))
bb0ded 
+        if name == VAULT_WRAPPING_3DES:
bb0ded 
+            return DES_EDE3_CBC_OID
bb0ded 
+        elif name == VAULT_WRAPPING_AES128_CBC:
bb0ded 
+            return AES_128_CBC_OID
bb0ded 
+        else:
bb0ded 
+            # unreachable
bb0ded 
+            raise ValueError(name)
bb0ded 
+
bb0ded 
     def get_dn(self, *keys, **options):
bb0ded 
         """
bb0ded 
         Generates vault DN from parameters.
bb0ded 
@@ -992,14 +1006,18 @@ class vaultconfig_show(Retrieve):
bb0ded 
     )
bb0ded
bb0ded 
     def execute(self, *args, **options):
bb0ded 
-
bb0ded 
         if not self.api.Command.kra_is_enabled()['result']:
bb0ded 
             raise errors.InvocationError(
bb0ded 
                 format=_('KRA service is not enabled'))
bb0ded
bb0ded 
+        config = dict(
bb0ded 
+            wrapping_supported_algorithms=VAULT_WRAPPING_SUPPORTED_ALGOS,
bb0ded 
+            wrapping_default_algorithm=VAULT_WRAPPING_DEFAULT_ALGO,
bb0ded 
+        )
bb0ded 
+
bb0ded 
         with self.api.Backend.kra.get_client() as kra_client:
bb0ded 
             transport_cert = kra_client.system_certs.get_transport_cert()
bb0ded 
-            config = {'transport_cert': transport_cert.binary}
bb0ded 
+            config['transport_cert'] = transport_cert.binary
bb0ded
bb0ded 
         self.api.Object.config.show_servroles_attributes(
bb0ded 
             config, "KRA server", **options)
bb0ded 
@@ -1029,6 +1047,13 @@ class vault_archive_internal(PKQuery):
bb0ded 
             'nonce',
bb0ded 
             doc=_('Nonce'),
bb0ded 
         ),
bb0ded 
+        StrEnum(
bb0ded 
+            'wrapping_algo?',
bb0ded 
+            doc=_('Key wrapping algorithm'),
bb0ded 
+            values=VAULT_WRAPPING_SUPPORTED_ALGOS,
bb0ded 
+            default=VAULT_WRAPPING_DEFAULT_ALGO,
bb0ded 
+            autofill=True,
bb0ded 
+        ),
bb0ded 
     )
bb0ded
bb0ded 
     has_output = output.standard_entry
bb0ded 
@@ -1045,6 +1070,9 @@ class vault_archive_internal(PKQuery):
bb0ded 
         nonce = options.pop('nonce')
bb0ded 
         wrapped_session_key = options.pop('session_key')
bb0ded
bb0ded 
+        wrapping_algo = options.pop('wrapping_algo', None)
bb0ded 
+        algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
bb0ded 
+
bb0ded 
         # retrieve vault info
bb0ded 
         vault = self.api.Command.vault_show(*args, **options)['result']
bb0ded
bb0ded 
@@ -1071,7 +1099,7 @@ class vault_archive_internal(PKQuery):
bb0ded 
                 pki.key.KeyClient.PASS_PHRASE_TYPE,
bb0ded 
                 wrapped_vault_data,
bb0ded 
                 wrapped_session_key,
bb0ded 
-                algorithm_oid=DES_EDE3_CBC_OID,
bb0ded 
+                algorithm_oid=algorithm_oid,
bb0ded 
                 nonce_iv=nonce,
bb0ded 
             )
bb0ded
bb0ded 
@@ -1098,6 +1126,13 @@ class vault_retrieve_internal(PKQuery):
bb0ded 
             'session_key',
bb0ded 
             doc=_('Session key wrapped with transport certificate'),
bb0ded 
         ),
bb0ded 
+        StrEnum(
bb0ded 
+            'wrapping_algo?',
bb0ded 
+            doc=_('Key wrapping algorithm'),
bb0ded 
+            values=VAULT_WRAPPING_SUPPORTED_ALGOS,
bb0ded 
+            default=VAULT_WRAPPING_DEFAULT_ALGO,
bb0ded 
+            autofill=True,
bb0ded 
+        ),
bb0ded 
     )
bb0ded
bb0ded 
     has_output = output.standard_entry
bb0ded 
@@ -1112,6 +1147,9 @@ class vault_retrieve_internal(PKQuery):
bb0ded
bb0ded 
         wrapped_session_key = options.pop('session_key')
bb0ded
bb0ded 
+        wrapping_algo = options.pop('wrapping_algo', None)
bb0ded 
+        algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
bb0ded 
+
bb0ded 
         # retrieve vault info
bb0ded 
         vault = self.api.Command.vault_show(*args, **options)['result']
bb0ded
bb0ded 
@@ -1132,6 +1170,9 @@ class vault_retrieve_internal(PKQuery):
bb0ded
bb0ded 
             key_info = response.key_infos[0]
bb0ded
bb0ded 
+            # XXX hack
bb0ded 
+            kra_client.keys.encrypt_alg_oid = algorithm_oid
bb0ded 
+
bb0ded 
             # retrieve encrypted data from KRA
bb0ded 
             key = kra_client.keys.retrieve_key(
bb0ded 
                 key_info.get_key_id(),
bb0ded 
--
bb0ded 
2.34.1
bb0ded

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation