NSSWrappedCertDB: accept optional symmetric algorithm

Add support for Custodia ca_wrapped clients to specify the desired symmetric encryption algorithm for exporting the wrapped signing key (this mechanism is used for LWCA key replication). If not specified, we must assume that the client has an older Dogtag version that can only import keys wrapped with DES-EDE3-CBC encryption. The selected algorithm gets passed to the 'nsswrappedcert' handler, which in turn passes it to the 'pki ca-authority-key-export' command (which is part of Dogtag). Client-side changes will occur in a subsequent commit. Part of: https://pagure.io/freeipa/issue/8020 Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2024-12-23 07:33:27 -06:00 · 2019-07-24 14:10:29 +10:00 · 2019-07-24 14:10:29 +10:00 · 8fbcc33534
commit 8fbcc33534
parent 7e92e65190
2 changed files with 39 additions and 1 deletions
--- a/ipaserver/secrets/handlers/nsswrappedcert.py
+++ b/ipaserver/secrets/handlers/nsswrappedcert.py
@ -26,6 +26,7 @@ def export_key(args, tmpdir):
        'ca-authority-key-export',
        '--wrap-nickname', args.wrap_nickname,
        '--target-nickname', args.nickname,
+        '--algorithm', args.algorithm,
        '-o', wrapped_key_file
    ])

@ -95,6 +96,17 @@ def pki_tomcat_parser():
        help='nick name of target key',
        required=True
    )
+
+    # Caller must specify a cipher.  This gets passed on to
+    # the 'pki ca-authority-key-export' command (part of
+    # Dogtag) via its own --algorithm option.
+    parser.add_argument(
+        '--algorithm',
+        dest='algorithm',
+        help='OID of symmetric wrap algorithm',
+        required=True
+    )
+
    parser.set_defaults(
        nssdb_path=paths.PKI_TOMCAT_ALIAS_DIR,
        nssdb_pwdfile=paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT,
--- a/ipaserver/secrets/store.py
+++ b/ipaserver/secrets/store.py
@ -86,9 +86,35 @@ class NSSWrappedCertDB(DBMAPCommandHandler):
    private key of the primary CA.
    """
    dbtype = 'NSSDB'
+    supports_extra_args = True
+
+    OID_DES_EDE3_CBC = '1.2.840.113549.3.7'
+
+    def __init__(self, config, dbmap, nickname, *extra_args):
+        super().__init__(config, dbmap, nickname)
+
+        # Extra args is either a single OID specifying desired wrap
+        # algorithm, or empty.  If empty, we must assume that the
+        # client is an old version that only supports DES-EDE3-CBC.
+        #
+        # Using either the client's requested algorithm or the
+        # default of DES-EDE3-CBC, we pass it along to the handler
+        # via the --algorithm option.  The handler, in turn, passes
+        # it along to the 'pki ca-authority-key-export' program
+        # (which is part of Dogtag).
+        #
+        if len(extra_args) > 1:
+            raise InvalidKeyArguments("Too many arguments")
+        if len(extra_args) == 1:
+            self.alg = extra_args[0]
+        else:
+            self.alg = self.OID_DES_EDE3_CBC

    def export_key(self):
-        return self.run_handler(['--nickname', self.nickname])
+        return self.run_handler([
+            '--nickname', self.nickname,
+            '--algorithm', self.alg,
+        ])


 class NSSCertDB(DBMAPCommandHandler):