From 895e99b6843c2fa2274acab824607c33c1a560a4 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 7 Oct 2019 14:13:03 +0200
Subject: [PATCH] Support AES for KRA archival wrapping
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping
algorithm since the plugin was introduced. Allow use of AES-128-CBC as
alternative wrapping algorithm for transport of secrets.
Fixes: https://pagure.io/freeipa/issue/6524
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
API.txt | 7 +-
VERSION.m4 | 5 +-
ipaclient/plugins/vault.py | 155 +++++++++++++++++++++++++------------
ipalib/capabilities.py | 4 +
ipalib/constants.py | 12 +++
ipaserver/plugins/vault.py | 61 ++++++++++++---
6 files changed, 180 insertions(+), 64 deletions(-)
diff --git a/API.txt b/API.txt
index 576fa7c51e31886b257ccf176aaf232c0f2ea5ee..f95f2c8457e39f2268386a8a2336952d3285e008 100644
--- a/API.txt
+++ b/API.txt
@@ -6548,7 +6548,7 @@ output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: vault_archive_internal/1
-args: 1,9,3
+args: 1,10,3
arg: Str('cn', cli_name='name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Bytes('nonce')
@@ -6559,6 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Bytes('vault_data')
option: Str('version?')
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
@@ -6649,7 +6650,7 @@ output: Output('completed', type=[<type 'int'>])
output: Output('failed', type=[<type 'dict'>])
output: Entry('result')
command: vault_retrieve_internal/1
-args: 1,7,3
+args: 1,8,3
arg: Str('cn', cli_name='name')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -6658,6 +6659,7 @@ option: Bytes('session_key')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Str('version?')
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
@@ -7327,6 +7329,7 @@ default: vaultcontainer_del/1
default: vaultcontainer_remove_owner/1
default: vaultcontainer_show/1
default: whoami/1
+capability: vault_aes_keywrap 2.246
capability: messages 2.52
capability: optional_uid_params 2.54
capability: permissions2 2.69
diff --git a/VERSION.m4 b/VERSION.m4
index 70aaff4c9b9514a5937eae60074376e1a592464e..997ac35e74fa6f2a96da027ed3ce93cf809b62a7 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -86,9 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
# #
########################################################
define(IPA_API_VERSION_MAJOR, 2)
-# Last change: add enable_sid to config
-define(IPA_API_VERSION_MINOR, 245)
-
+# Last change: Add wrapping algorithm to vault archive/retrieve
+define(IPA_API_VERSION_MINOR, 246)
########################################################
# Following values are auto-generated from values above
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index d3a1d370efaccc7e5b0088bd3df341d76884d509..115171c7768d44251c17d0bcdac9c37b3a25db99 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -25,11 +25,12 @@ import io
import json
import logging
import os
+import ssl
import tempfile
from cryptography.fernet import Fernet, InvalidToken
from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
@@ -39,7 +40,7 @@ from cryptography.hazmat.primitives.serialization import (
from ipaclient.frontend import MethodOverride
from ipalib import x509
-from ipalib.constants import USER_CACHE_PATH
+from ipalib import constants
from ipalib.frontend import Local, Method, Object
from ipalib.util import classproperty
from ipalib import api, errors
@@ -546,42 +547,49 @@ class vault_mod(Local):
return response
-class _TransportCertCache:
+class _KraConfigCache:
+ """The KRA config cache stores vaultconfig-show result.
+ """
def __init__(self):
self._dirname = os.path.join(
- USER_CACHE_PATH, 'ipa', 'kra-transport-certs'
+ constants.USER_CACHE_PATH, 'ipa', 'kra-config'
)
def _get_filename(self, domain):
- basename = DNSName(domain).ToASCII() + '.pem'
+ basename = DNSName(domain).ToASCII() + '.json'
return os.path.join(self._dirname, basename)
- def load_cert(self, domain):
- """Load cert from cache
+ def load(self, domain):
+ """Load config from cache
:param domain: IPA domain
- :return: cryptography.x509.Certificate or None
+ :return: dict or None
"""
filename = self._get_filename(domain)
try:
try:
- return x509.load_certificate_from_file(filename)
- except EnvironmentError as e:
+ with open(filename) as f:
+ return json.load(f)
+ except OSError as e:
if e.errno != errno.ENOENT:
raise
except Exception:
logger.warning("Failed to load %s", filename, exc_info=True)
return None
- def store_cert(self, domain, transport_cert):
- """Store a new cert or override existing cert
+ def store(self, domain, response):
+ """Store config in cache
:param domain: IPA domain
- :param transport_cert: cryptography.x509.Certificate
- :return: True if cert was stored successfully
+ :param config: ipa vaultconfig-show response
+ :return: True if config was stored successfully
"""
+ config = response['result'].copy()
+ # store certificate as PEM-encoded ASCII
+ config['transport_cert'] = ssl.DER_cert_to_PEM_cert(
+ config['transport_cert']
+ )
filename = self._get_filename(domain)
- pem = transport_cert.public_bytes(serialization.Encoding.PEM)
try:
try:
os.makedirs(self._dirname)
@@ -589,9 +597,9 @@ class _TransportCertCache:
if e.errno != errno.EEXIST:
raise
with tempfile.NamedTemporaryFile(dir=self._dirname, delete=False,
- mode='wb') as f:
+ mode='w') as f:
try:
- f.write(pem)
+ json.dump(config, f)
ipautil.flush_sync(f)
f.close()
os.rename(f.name, filename)
@@ -604,8 +612,8 @@ class _TransportCertCache:
else:
return True
- def remove_cert(self, domain):
- """Remove a cert from cache, ignores errors
+ def remove(self, domain):
+ """Remove a config from cache, ignores errors
:param domain: IPA domain
:return: True if cert was found and removed
@@ -621,7 +629,7 @@ class _TransportCertCache:
return True
-_transport_cert_cache = _TransportCertCache()
+_kra_config_cache = _KraConfigCache()
@register(override=True, no_fail=True)
@@ -636,13 +644,8 @@ class vaultconfig_show(MethodOverride):
response = super(vaultconfig_show, self).forward(*args, **options)
- # cache transport certificate
- transport_cert = x509.load_der_x509_certificate(
- response['result']['transport_cert'])
-
- _transport_cert_cache.store_cert(
- self.api.env.domain, transport_cert
- )
+ # cache config
+ _kra_config_cache.store(self.api.env.domain, response)
if file:
with open(file, 'wb') as f:
@@ -652,10 +655,54 @@ class vaultconfig_show(MethodOverride):
class ModVaultData(Local):
- def _generate_session_key(self):
- key_length = max(algorithms.TripleDES.key_sizes)
- algo = algorithms.TripleDES(os.urandom(key_length // 8))
- return algo
+ def _generate_session_key(self, name):
+ if name not in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
+ msg = _("{algo} is not a supported vault wrapping algorithm")
+ raise errors.ValidationError(msg.format(algo=repr(name)))
+ if name == constants.VAULT_WRAPPING_AES128_CBC:
+ return algorithms.AES(os.urandom(128 // 8))
+ elif name == constants.VAULT_WRAPPING_3DES:
+ return algorithms.TripleDES(os.urandom(196 // 8))
+ else:
+ # unreachable
+ raise ValueError(name)
+
+ def _get_vaultconfig(self, force_refresh=False):
+ config = None
+ if not force_refresh:
+ config = _kra_config_cache.load(self.api.env.domain)
+ if config is None:
+ # vaultconfig_show also caches data
+ response = self.api.Command.vaultconfig_show()
+ config = response['result']
+ transport_cert = x509.load_der_x509_certificate(
+ config['transport_cert']
+ )
+ else:
+ # cached JSON uses PEM-encoded ASCII string
+ transport_cert = x509.load_pem_x509_certificate(
+ config['transport_cert'].encode('ascii')
+ )
+
+ default_algo = config.get('wrapping_default_algorithm')
+ if default_algo is None:
+ # old server
+ wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC
+ elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
+ # try to use server default
+ wrapping_algo = default_algo
+ else:
+ # prefer server's sorting order
+ for algo in config['wrapping_supported_algorithms']:
+ if algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
+ wrapping_algo = algo
+ break
+ else:
+ raise errors.ValidationError(
+ "No overlapping wrapping algorithm between server and "
+ "client."
+ )
+ return transport_cert, wrapping_algo
def _do_internal(self, algo, transport_cert, raise_unexpected,
*args, **options):
@@ -675,29 +722,23 @@ class ModVaultData(Local):
except (errors.InternalError,
errors.ExecutionError,
errors.GenericError):
- _transport_cert_cache.remove_cert(self.api.env.domain)
+ _kra_config_cache.remove(self.api.env.domain)
if raise_unexpected:
raise
return None
- def internal(self, algo, *args, **options):
+ def internal(self, algo, transport_cert, *args, **options):
"""
Calls the internal counterpart of the command.
"""
- domain = self.api.env.domain
-
# try call with cached transport certificate
- transport_cert = _transport_cert_cache.load_cert(domain)
- if transport_cert is not None:
- result = self._do_internal(algo, transport_cert, False,
+ result = self._do_internal(algo, transport_cert, False,
*args, **options)
- if result is not None:
- return result
+ if result is not None:
+ return result
# retrieve transport certificate (cached by vaultconfig_show)
- response = self.api.Command.vaultconfig_show()
- transport_cert = x509.load_der_x509_certificate(
- response['result']['transport_cert'])
+ transport_cert = self._get_vaultconfig(force_refresh=True)[0]
# call with the retrieved transport certificate
return self._do_internal(algo, transport_cert, True,
*args, **options)
@@ -777,7 +818,7 @@ class vault_archive(ModVaultData):
def _wrap_data(self, algo, json_vault_data):
"""Encrypt data with wrapped session key and transport cert
- :param bytes algo: wrapping algorithm instance
+ :param algo: wrapping algorithm instance
:param bytes json_vault_data: dumped vault data
:return:
"""
@@ -929,15 +970,24 @@ class vault_archive(ModVaultData):
json_vault_data = json.dumps(vault_data).encode('utf-8')
+ # get config
+ transport_cert, wrapping_algo = self._get_vaultconfig()
+ # let options override wrapping algo
+ # For backwards compatibility do not send old legacy wrapping algo
+ # to server. Only send the option when non-3DES is used.
+ wrapping_algo = options.pop('wrapping_algo', wrapping_algo)
+ if wrapping_algo != constants.VAULT_WRAPPING_3DES:
+ options['wrapping_algo'] = wrapping_algo
+
# generate session key
- algo = self._generate_session_key()
+ algo = self._generate_session_key(wrapping_algo)
# wrap vault data
nonce, wrapped_vault_data = self._wrap_data(algo, json_vault_data)
options.update(
nonce=nonce,
vault_data=wrapped_vault_data
)
- return self.internal(algo, *args, **options)
+ return self.internal(algo, transport_cert, *args, **options)
@register(no_fail=True)
@@ -1061,10 +1111,19 @@ class vault_retrieve(ModVaultData):
vault = self.api.Command.vault_show(*args, **options)['result']
vault_type = vault['ipavaulttype'][0]
+ # get config
+ transport_cert, wrapping_algo = self._get_vaultconfig()
+ # let options override wrapping algo
+ # For backwards compatibility do not send old legacy wrapping algo
+ # to server. Only send the option when non-3DES is used.
+ wrapping_algo = options.pop('wrapping_algo', wrapping_algo)
+ if wrapping_algo != constants.VAULT_WRAPPING_3DES:
+ options['wrapping_algo'] = wrapping_algo
+
# generate session key
- algo = self._generate_session_key()
+ algo = self._generate_session_key(wrapping_algo)
# send retrieval request to server
- response = self.internal(algo, *args, **options)
+ response = self.internal(algo, transport_cert, *args, **options)
# unwrap data with session key
vault_data = self._unwrap_response(
algo,
diff --git a/ipalib/capabilities.py b/ipalib/capabilities.py
index 55b84aa6bc73d583e7bd5d03d2f4f1cc5c8e7c0b..4d8ae408bf67c280d27ce494baa9db9aaff0cd69 100644
--- a/ipalib/capabilities.py
+++ b/ipalib/capabilities.py
@@ -54,6 +54,10 @@ capabilities = dict(
# dns_name_values: dnsnames as objects
dns_name_values=u'2.88',
+
+ # vault supports aes key wrapping
+ vault_aes_keywrap='2.246'
+
)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 9f19b0f9941ba5068f1e6c218092e3b76fdc7599..11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -374,3 +374,15 @@ KRA_TRACKING_REQS = {
}
ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
+
+# vault data wrapping algorithms
+VAULT_WRAPPING_3DES = 'des-ede3-cbc'
+VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
+VAULT_WRAPPING_SUPPORTED_ALGOS = (
+ # old default was 3DES
+ VAULT_WRAPPING_3DES,
+ # supported since pki-kra >= 10.4
+ VAULT_WRAPPING_AES128_CBC,
+)
+# 3DES for backwards compatibility
+VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
index aebac7dff7bb9d183c6012cc685577d476e18c4e..4d40f66c6a793a831e91c5fe25c8b5277cbd1972 100644
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@@ -23,6 +23,10 @@ from ipalib.frontend import Command, Object
from ipalib import api, errors
from ipalib import Bytes, Flag, Str, StrEnum
from ipalib import output
+from ipalib.constants import (
+ VAULT_WRAPPING_SUPPORTED_ALGOS, VAULT_WRAPPING_DEFAULT_ALGO,
+ VAULT_WRAPPING_3DES, VAULT_WRAPPING_AES128_CBC,
+)
from ipalib.crud import PKQuery, Retrieve
from ipalib.parameters import Principal
from ipalib.plugable import Registry
@@ -39,14 +43,8 @@ from ipaserver.masters import is_service_enabled
if api.env.in_server:
import pki.account
import pki.key
- # pylint: disable=no-member
- try:
- # pki >= 10.4.0
- from pki.crypto import DES_EDE3_CBC_OID
- except ImportError:
- DES_EDE3_CBC_OID = pki.key.KeyClient.DES_EDE3_CBC_OID
- # pylint: enable=no-member
-
+ from pki.crypto import DES_EDE3_CBC_OID
+ from pki.crypto import AES_128_CBC_OID
if six.PY3:
unicode = str
@@ -652,6 +652,20 @@ class vault(LDAPObject):
),
)
+ def _translate_algorithm(self, name):
+ if name is None:
+ name = VAULT_WRAPPING_DEFAULT_ALGO
+ if name not in VAULT_WRAPPING_SUPPORTED_ALGOS:
+ msg = _("{algo} is not a supported vault wrapping algorithm")
+ raise errors.ValidationError(msg.format(algo=name))
+ if name == VAULT_WRAPPING_3DES:
+ return DES_EDE3_CBC_OID
+ elif name == VAULT_WRAPPING_AES128_CBC:
+ return AES_128_CBC_OID
+ else:
+ # unreachable
+ raise ValueError(name)
+
def get_dn(self, *keys, **options):
"""
Generates vault DN from parameters.
@@ -992,14 +1006,18 @@ class vaultconfig_show(Retrieve):
)
def execute(self, *args, **options):
-
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
+ config = dict(
+ wrapping_supported_algorithms=VAULT_WRAPPING_SUPPORTED_ALGOS,
+ wrapping_default_algorithm=VAULT_WRAPPING_DEFAULT_ALGO,
+ )
+
with self.api.Backend.kra.get_client() as kra_client:
transport_cert = kra_client.system_certs.get_transport_cert()
- config = {'transport_cert': transport_cert.binary}
+ config['transport_cert'] = transport_cert.binary
self.api.Object.config.show_servroles_attributes(
config, "KRA server", **options)
@@ -1029,6 +1047,13 @@ class vault_archive_internal(PKQuery):
'nonce',
doc=_('Nonce'),
),
+ StrEnum(
+ 'wrapping_algo?',
+ doc=_('Key wrapping algorithm'),
+ values=VAULT_WRAPPING_SUPPORTED_ALGOS,
+ default=VAULT_WRAPPING_DEFAULT_ALGO,
+ autofill=True,
+ ),
)
has_output = output.standard_entry
@@ -1045,6 +1070,9 @@ class vault_archive_internal(PKQuery):
nonce = options.pop('nonce')
wrapped_session_key = options.pop('session_key')
+ wrapping_algo = options.pop('wrapping_algo', None)
+ algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
+
# retrieve vault info
vault = self.api.Command.vault_show(*args, **options)['result']
@@ -1071,7 +1099,7 @@ class vault_archive_internal(PKQuery):
pki.key.KeyClient.PASS_PHRASE_TYPE,
wrapped_vault_data,
wrapped_session_key,
- algorithm_oid=DES_EDE3_CBC_OID,
+ algorithm_oid=algorithm_oid,
nonce_iv=nonce,
)
@@ -1098,6 +1126,13 @@ class vault_retrieve_internal(PKQuery):
'session_key',
doc=_('Session key wrapped with transport certificate'),
),
+ StrEnum(
+ 'wrapping_algo?',
+ doc=_('Key wrapping algorithm'),
+ values=VAULT_WRAPPING_SUPPORTED_ALGOS,
+ default=VAULT_WRAPPING_DEFAULT_ALGO,
+ autofill=True,
+ ),
)
has_output = output.standard_entry
@@ -1112,6 +1147,9 @@ class vault_retrieve_internal(PKQuery):
wrapped_session_key = options.pop('session_key')
+ wrapping_algo = options.pop('wrapping_algo', None)
+ algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
+
# retrieve vault info
vault = self.api.Command.vault_show(*args, **options)['result']
@@ -1132,6 +1170,9 @@ class vault_retrieve_internal(PKQuery):
key_info = response.key_infos[0]
+ # XXX hack
+ kra_client.keys.encrypt_alg_oid = algorithm_oid
+
# retrieve encrypted data from KRA
key = kra_client.keys.retrieve_key(
key_info.get_key_id(),
--
2.34.1