From 8fbcc3353467026e181f24cd527fe4e30f63aab4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 24 Jul 2019 14:10:29 +1000 Subject: [PATCH] NSSWrappedCertDB: accept optional symmetric algorithm Add support for Custodia ca_wrapped clients to specify the desired symmetric encryption algorithm for exporting the wrapped signing key (this mechanism is used for LWCA key replication). If not specified, we must assume that the client has an older Dogtag version that can only import keys wrapped with DES-EDE3-CBC encryption. The selected algorithm gets passed to the 'nsswrappedcert' handler, which in turn passes it to the 'pki ca-authority-key-export' command (which is part of Dogtag). Client-side changes will occur in a subsequent commit. Part of: https://pagure.io/freeipa/issue/8020 Reviewed-By: Alexander Bokovoy --- ipaserver/secrets/handlers/nsswrappedcert.py | 12 +++++++++ ipaserver/secrets/store.py | 28 +++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/ipaserver/secrets/handlers/nsswrappedcert.py b/ipaserver/secrets/handlers/nsswrappedcert.py index 6b7b142f9..2714d0375 100644 --- a/ipaserver/secrets/handlers/nsswrappedcert.py +++ b/ipaserver/secrets/handlers/nsswrappedcert.py @@ -26,6 +26,7 @@ def export_key(args, tmpdir): 'ca-authority-key-export', '--wrap-nickname', args.wrap_nickname, '--target-nickname', args.nickname, + '--algorithm', args.algorithm, '-o', wrapped_key_file ]) @@ -95,6 +96,17 @@ def pki_tomcat_parser(): help='nick name of target key', required=True ) + + # Caller must specify a cipher. This gets passed on to + # the 'pki ca-authority-key-export' command (part of + # Dogtag) via its own --algorithm option. + parser.add_argument( + '--algorithm', + dest='algorithm', + help='OID of symmetric wrap algorithm', + required=True + ) + parser.set_defaults( nssdb_path=paths.PKI_TOMCAT_ALIAS_DIR, nssdb_pwdfile=paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT, diff --git a/ipaserver/secrets/store.py b/ipaserver/secrets/store.py index 684828dd8..eba1b3b5f 100644 --- a/ipaserver/secrets/store.py +++ b/ipaserver/secrets/store.py @@ -86,9 +86,35 @@ class NSSWrappedCertDB(DBMAPCommandHandler): private key of the primary CA. """ dbtype = 'NSSDB' + supports_extra_args = True + + OID_DES_EDE3_CBC = '1.2.840.113549.3.7' + + def __init__(self, config, dbmap, nickname, *extra_args): + super().__init__(config, dbmap, nickname) + + # Extra args is either a single OID specifying desired wrap + # algorithm, or empty. If empty, we must assume that the + # client is an old version that only supports DES-EDE3-CBC. + # + # Using either the client's requested algorithm or the + # default of DES-EDE3-CBC, we pass it along to the handler + # via the --algorithm option. The handler, in turn, passes + # it along to the 'pki ca-authority-key-export' program + # (which is part of Dogtag). + # + if len(extra_args) > 1: + raise InvalidKeyArguments("Too many arguments") + if len(extra_args) == 1: + self.alg = extra_args[0] + else: + self.alg = self.OID_DES_EDE3_CBC def export_key(self): - return self.run_handler(['--nickname', self.nickname]) + return self.run_handler([ + '--nickname', self.nickname, + '--algorithm', self.alg, + ]) class NSSCertDB(DBMAPCommandHandler):