Encrypt httpd key stored on disk

This commit adds configuration for HTTPD to encrypt/decrypt its key which we currently store in clear on the disc. A password-reading script is added for mod_ssl. This script is extensible for the future use of directory server with the expectation that key encryption/decription will be handled similarly by its configuration. https://pagure.io/freeipa/issue/7421 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-02-26 10:15:05 +01:00
parent e7e06f6d78
commit 7cbd9bd429
9 changed files with 97 additions and 9 deletions
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -569,20 +569,26 @@ def write_certificate_list(certs, filename):
        raise errors.FileError(reason=str(e))


-def write_pem_private_key(priv_key, filename):
+def write_pem_private_key(priv_key, filename, passwd=None):
    """
    Write a private key to a file in PEM format. Will force 0x600 permissions
    on file.

    :param priv_key: cryptography ``PrivateKey`` object
+    :param passwd: ``bytes`` representing the password to store the
+                    private key with
    """
+    if passwd is not None:
+        enc_alg = serialization.BestAvailableEncryption(passwd)
+    else:
+        enc_alg = serialization.NoEncryption()
    try:
        with open(filename, 'wb') as fp:
            os.fchmod(fp.fileno(), 0o600)
            fp.write(priv_key.private_bytes(
                Encoding.PEM,
                PrivateFormat.TraditionalOpenSSL,
-                serialization.NoEncryption()))
+                encryption_algorithm=enc_alg))
    except (IOError, OSError) as e:
        raise errors.FileError(reason=str(e))