bb0ded
From 984190eea01ac42cd1f97567a67dd9446e5b0bf9 Mon Sep 17 00:00:00 2001
bb0ded
From: Francisco Trivino <ftrivino@redhat.com>
bb0ded
Date: Fri, 11 Mar 2022 17:47:38 +0100
bb0ded
Subject: [PATCH] Set AES as default for KRA archival wrapping
bb0ded
bb0ded
This commit sets AES-128-CBC as default wrapping algorithm as
bb0ded
TripleDES (des-ede3-cbc) is not supported anymore in C9S.
bb0ded
bb0ded
Fixes: https://pagure.io/freeipa/issue/6524
bb0ded
bb0ded
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
bb0ded
Reviewed-By: Christian Heimes <cheimes@redhat.com>
bb0ded
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
bb0ded
---
bb0ded
 API.txt             |  6 +++---
bb0ded
 ipalib/constants.py | 14 +++++++++-----
bb0ded
 2 files changed, 12 insertions(+), 8 deletions(-)
bb0ded
bb0ded
diff --git a/API.txt b/API.txt
bb0ded
index f95f2c8457e39f2268386a8a2336952d3285e008..1f27dcc616a6395c56ef91f3453e7620625c7645 100644
bb0ded
--- a/API.txt
bb0ded
+++ b/API.txt
bb0ded
@@ -6559,7 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
bb0ded
 option: Str('username?', cli_name='user')
bb0ded
 option: Bytes('vault_data')
bb0ded
 option: Str('version?')
bb0ded
-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
bb0ded
+option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
bb0ded
 output: Entry('result')
bb0ded
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
bb0ded
 output: PrimaryKey('value')
bb0ded
@@ -6659,7 +6659,7 @@ option: Bytes('session_key')
bb0ded
 option: Flag('shared?', autofill=True, default=False)
bb0ded
 option: Str('username?', cli_name='user')
bb0ded
 option: Str('version?')
bb0ded
-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
bb0ded
+option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
bb0ded
 output: Entry('result')
bb0ded
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
bb0ded
 output: PrimaryKey('value')
bb0ded
@@ -7329,10 +7329,10 @@ default: vaultcontainer_del/1
bb0ded
 default: vaultcontainer_remove_owner/1
bb0ded
 default: vaultcontainer_show/1
bb0ded
 default: whoami/1
bb0ded
-capability: vault_aes_keywrap 2.246
bb0ded
 capability: messages 2.52
bb0ded
 capability: optional_uid_params 2.54
bb0ded
 capability: permissions2 2.69
bb0ded
 capability: primary_key_types 2.83
bb0ded
 capability: datetime_values 2.84
bb0ded
 capability: dns_name_values 2.88
bb0ded
+capability: vault_aes_keywrap 2.246
bb0ded
diff --git a/ipalib/constants.py b/ipalib/constants.py
bb0ded
index 11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a..68178004181bebcc8c093dac55e18d5afe0251e5 100644
bb0ded
--- a/ipalib/constants.py
bb0ded
+++ b/ipalib/constants.py
bb0ded
@@ -29,6 +29,8 @@ from ipaplatform.constants import constants as _constants
bb0ded
 from ipapython.dn import DN
bb0ded
 from ipapython.fqdn import gethostfqdn
bb0ded
 from ipapython.version import VERSION, API_VERSION
bb0ded
+from cryptography.hazmat.primitives.ciphers import algorithms, modes
bb0ded
+from cryptography.hazmat.backends.openssl.backend import backend
bb0ded
 
bb0ded
 
bb0ded
 FQDN = gethostfqdn()
bb0ded
@@ -379,10 +381,12 @@ ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
bb0ded
 VAULT_WRAPPING_3DES = 'des-ede3-cbc'
bb0ded
 VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
bb0ded
 VAULT_WRAPPING_SUPPORTED_ALGOS = (
bb0ded
-    # old default was 3DES
bb0ded
-    VAULT_WRAPPING_3DES,
bb0ded
-    # supported since pki-kra >= 10.4
bb0ded
+    # new default and supported since pki-kra >= 10.4
bb0ded
     VAULT_WRAPPING_AES128_CBC,
bb0ded
 )
bb0ded
-# 3DES for backwards compatibility
bb0ded
-VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
bb0ded
+VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
bb0ded
+
bb0ded
+# Add 3DES for backwards compatibility if supported
bb0ded
+if backend.cipher_supported(algorithms.TripleDES(b"\x00" * 8),
bb0ded
+                            modes.CBC(b"\x00" * 8)):
bb0ded
+    VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
bb0ded
-- 
bb0ded
2.34.1
bb0ded