From 2042b5a0d2236d27ce36a139b4e9e89a055f28b5 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 13 May 2019 16:30:42 +0200 Subject: [PATCH] Use PKCS#8 instead of traditional privkey format The modern PKCS#8 private key format supports better encryption standard and is preferable over traditional, weak PKCS#1 key format. Fixes: https://pagure.io/freeipa/issue/7943 Signed-off-by: Christian Heimes Reviewed-By: Oleg Kozlov --- ipalib/x509.py | 2 +- ipatests/pytest_ipa/integration/tasks.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index f20a2457e..ab3c5f553 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -596,7 +596,7 @@ def write_pem_private_key(priv_key, filename, passwd=None): os.fchmod(fp.fileno(), 0o600) fp.write(priv_key.private_bytes( Encoding.PEM, - PrivateFormat.TraditionalOpenSSL, + PrivateFormat.PKCS8, encryption_algorithm=enc_alg)) except (IOError, OSError) as e: raise errors.FileError(reason=str(e)) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index ff2462769..c94be86cd 100644 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -1718,6 +1718,7 @@ def generate_ssh_keypair(): pem = key.private_bytes( encoding=serialization.Encoding.PEM, + # paramiko does not support PKCS#8 format, yet. format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption() )