IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Vault: Explicitly default to 3DES CBC

Browse Source 
The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().

Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This commit is contained in:
Christian Heimes 2017-04-26 18:15:40 +02:00 committed by Martin Basti
parent 50f6883662
commit 5197422ef6
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ipaserver/plugins/vault.py
View File

@ -38,6 +38,14 @@ from ipapython.dn import DN
if api.env.in_server: if api.env.in_server:
import pki.account import pki.account
import pki.key import pki.key
# pylint: disable=no-member
try:
# pki >= 10.4.0
from pki.crypto import DES_EDE3_CBC_OID
except ImportError:
DES_EDE3_CBC_OID = pki.key.KeyClient.DES_EDE3_CBC_OID
# pylint: enable=no-member
if six.PY3: if six.PY3:
unicode = str unicode = str
@ -1059,8 +1067,8 @@ class vault_archive_internal(PKQuery):
pki.key.KeyClient.PASS_PHRASE_TYPE, pki.key.KeyClient.PASS_PHRASE_TYPE,
wrapped_vault_data, wrapped_vault_data,
wrapped_session_key, wrapped_session_key,
None, algorithm_oid=DES_EDE3_CBC_OID,
nonce, nonce_iv=nonce,
) )
kra_account.logout() kra_account.logout()