Use PKCS#8 instead of traditional privkey format

The modern PKCS#8 private key format supports better encryption standard and is preferable over traditional, weak PKCS#1 key format. Fixes: https://pagure.io/freeipa/issue/7943 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2024-12-23 07:33:27 -06:00 · 2019-05-13 16:30:42 +02:00 · 2019-05-13 16:30:42 +02:00 · 2042b5a0d2
commit 2042b5a0d2
parent 7b8a2af219
2 changed files with 2 additions and 1 deletions
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@ -596,7 +596,7 @@ def write_pem_private_key(priv_key, filename, passwd=None):
            os.fchmod(fp.fileno(), 0o600)
            fp.write(priv_key.private_bytes(
                Encoding.PEM,
-                PrivateFormat.TraditionalOpenSSL,
+                PrivateFormat.PKCS8,
                encryption_algorithm=enc_alg))
    except (IOError, OSError) as e:
        raise errors.FileError(reason=str(e))
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@ -1718,6 +1718,7 @@ def generate_ssh_keypair():

    pem = key.private_bytes(
        encoding=serialization.Encoding.PEM,
+        # paramiko does not support PKCS#8 format, yet.
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption()
    )