|
|
bb0ded |
From 984190eea01ac42cd1f97567a67dd9446e5b0bf9 Mon Sep 17 00:00:00 2001
|
|
|
bb0ded |
From: Francisco Trivino <ftrivino@redhat.com>
|
|
|
bb0ded |
Date: Fri, 11 Mar 2022 17:47:38 +0100
|
|
|
bb0ded |
Subject: [PATCH] Set AES as default for KRA archival wrapping
|
|
|
bb0ded |
|
|
|
bb0ded |
This commit sets AES-128-CBC as default wrapping algorithm as
|
|
|
bb0ded |
TripleDES (des-ede3-cbc) is not supported anymore in C9S.
|
|
|
bb0ded |
|
|
|
bb0ded |
Fixes: https://pagure.io/freeipa/issue/6524
|
|
|
bb0ded |
|
|
|
bb0ded |
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
|
|
bb0ded |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
bb0ded |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
bb0ded |
---
|
|
|
bb0ded |
API.txt | 6 +++---
|
|
|
bb0ded |
ipalib/constants.py | 14 +++++++++-----
|
|
|
bb0ded |
2 files changed, 12 insertions(+), 8 deletions(-)
|
|
|
bb0ded |
|
|
|
bb0ded |
diff --git a/API.txt b/API.txt
|
|
|
bb0ded |
index f95f2c8457e39f2268386a8a2336952d3285e008..1f27dcc616a6395c56ef91f3453e7620625c7645 100644
|
|
|
bb0ded |
--- a/API.txt
|
|
|
bb0ded |
+++ b/API.txt
|
|
|
bb0ded |
@@ -6559,7 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
|
|
|
bb0ded |
option: Str('username?', cli_name='user')
|
|
|
bb0ded |
option: Bytes('vault_data')
|
|
|
bb0ded |
option: Str('version?')
|
|
|
bb0ded |
-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
|
|
|
bb0ded |
+option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
|
|
|
bb0ded |
output: Entry('result')
|
|
|
bb0ded |
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
|
|
bb0ded |
output: PrimaryKey('value')
|
|
|
bb0ded |
@@ -6659,7 +6659,7 @@ option: Bytes('session_key')
|
|
|
bb0ded |
option: Flag('shared?', autofill=True, default=False)
|
|
|
bb0ded |
option: Str('username?', cli_name='user')
|
|
|
bb0ded |
option: Str('version?')
|
|
|
bb0ded |
-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
|
|
|
bb0ded |
+option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
|
|
|
bb0ded |
output: Entry('result')
|
|
|
bb0ded |
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
|
|
|
bb0ded |
output: PrimaryKey('value')
|
|
|
bb0ded |
@@ -7329,10 +7329,10 @@ default: vaultcontainer_del/1
|
|
|
bb0ded |
default: vaultcontainer_remove_owner/1
|
|
|
bb0ded |
default: vaultcontainer_show/1
|
|
|
bb0ded |
default: whoami/1
|
|
|
bb0ded |
-capability: vault_aes_keywrap 2.246
|
|
|
bb0ded |
capability: messages 2.52
|
|
|
bb0ded |
capability: optional_uid_params 2.54
|
|
|
bb0ded |
capability: permissions2 2.69
|
|
|
bb0ded |
capability: primary_key_types 2.83
|
|
|
bb0ded |
capability: datetime_values 2.84
|
|
|
bb0ded |
capability: dns_name_values 2.88
|
|
|
bb0ded |
+capability: vault_aes_keywrap 2.246
|
|
|
bb0ded |
diff --git a/ipalib/constants.py b/ipalib/constants.py
|
|
|
bb0ded |
index 11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a..68178004181bebcc8c093dac55e18d5afe0251e5 100644
|
|
|
bb0ded |
--- a/ipalib/constants.py
|
|
|
bb0ded |
+++ b/ipalib/constants.py
|
|
|
bb0ded |
@@ -29,6 +29,8 @@ from ipaplatform.constants import constants as _constants
|
|
|
bb0ded |
from ipapython.dn import DN
|
|
|
bb0ded |
from ipapython.fqdn import gethostfqdn
|
|
|
bb0ded |
from ipapython.version import VERSION, API_VERSION
|
|
|
bb0ded |
+from cryptography.hazmat.primitives.ciphers import algorithms, modes
|
|
|
bb0ded |
+from cryptography.hazmat.backends.openssl.backend import backend
|
|
|
bb0ded |
|
|
|
bb0ded |
|
|
|
bb0ded |
FQDN = gethostfqdn()
|
|
|
bb0ded |
@@ -379,10 +381,12 @@ ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
|
|
|
bb0ded |
VAULT_WRAPPING_3DES = 'des-ede3-cbc'
|
|
|
bb0ded |
VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
|
|
|
bb0ded |
VAULT_WRAPPING_SUPPORTED_ALGOS = (
|
|
|
bb0ded |
- # old default was 3DES
|
|
|
bb0ded |
- VAULT_WRAPPING_3DES,
|
|
|
bb0ded |
- # supported since pki-kra >= 10.4
|
|
|
bb0ded |
+ # new default and supported since pki-kra >= 10.4
|
|
|
bb0ded |
VAULT_WRAPPING_AES128_CBC,
|
|
|
bb0ded |
)
|
|
|
bb0ded |
-# 3DES for backwards compatibility
|
|
|
bb0ded |
-VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
|
|
|
bb0ded |
+VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
|
|
|
bb0ded |
+
|
|
|
bb0ded |
+# Add 3DES for backwards compatibility if supported
|
|
|
bb0ded |
+if backend.cipher_supported(algorithms.TripleDES(b"\x00" * 8),
|
|
|
bb0ded |
+ modes.CBC(b"\x00" * 8)):
|
|
|
bb0ded |
+ VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
|
|
|
bb0ded |
--
|
|
|
bb0ded |
2.34.1
|
|
|
bb0ded |
|