mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
NSSWrappedCertDB: accept optional symmetric algorithm
Add support for Custodia ca_wrapped clients to specify the desired symmetric encryption algorithm for exporting the wrapped signing key (this mechanism is used for LWCA key replication). If not specified, we must assume that the client has an older Dogtag version that can only import keys wrapped with DES-EDE3-CBC encryption. The selected algorithm gets passed to the 'nsswrappedcert' handler, which in turn passes it to the 'pki ca-authority-key-export' command (which is part of Dogtag). Client-side changes will occur in a subsequent commit. Part of: https://pagure.io/freeipa/issue/8020 Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
This commit is contained in:
parent
7e92e65190
commit
8fbcc33534
@ -26,6 +26,7 @@ def export_key(args, tmpdir):
|
||||
'ca-authority-key-export',
|
||||
'--wrap-nickname', args.wrap_nickname,
|
||||
'--target-nickname', args.nickname,
|
||||
'--algorithm', args.algorithm,
|
||||
'-o', wrapped_key_file
|
||||
])
|
||||
|
||||
@ -95,6 +96,17 @@ def pki_tomcat_parser():
|
||||
help='nick name of target key',
|
||||
required=True
|
||||
)
|
||||
|
||||
# Caller must specify a cipher. This gets passed on to
|
||||
# the 'pki ca-authority-key-export' command (part of
|
||||
# Dogtag) via its own --algorithm option.
|
||||
parser.add_argument(
|
||||
'--algorithm',
|
||||
dest='algorithm',
|
||||
help='OID of symmetric wrap algorithm',
|
||||
required=True
|
||||
)
|
||||
|
||||
parser.set_defaults(
|
||||
nssdb_path=paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
nssdb_pwdfile=paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT,
|
||||
|
@ -86,9 +86,35 @@ class NSSWrappedCertDB(DBMAPCommandHandler):
|
||||
private key of the primary CA.
|
||||
"""
|
||||
dbtype = 'NSSDB'
|
||||
supports_extra_args = True
|
||||
|
||||
OID_DES_EDE3_CBC = '1.2.840.113549.3.7'
|
||||
|
||||
def __init__(self, config, dbmap, nickname, *extra_args):
|
||||
super().__init__(config, dbmap, nickname)
|
||||
|
||||
# Extra args is either a single OID specifying desired wrap
|
||||
# algorithm, or empty. If empty, we must assume that the
|
||||
# client is an old version that only supports DES-EDE3-CBC.
|
||||
#
|
||||
# Using either the client's requested algorithm or the
|
||||
# default of DES-EDE3-CBC, we pass it along to the handler
|
||||
# via the --algorithm option. The handler, in turn, passes
|
||||
# it along to the 'pki ca-authority-key-export' program
|
||||
# (which is part of Dogtag).
|
||||
#
|
||||
if len(extra_args) > 1:
|
||||
raise InvalidKeyArguments("Too many arguments")
|
||||
if len(extra_args) == 1:
|
||||
self.alg = extra_args[0]
|
||||
else:
|
||||
self.alg = self.OID_DES_EDE3_CBC
|
||||
|
||||
def export_key(self):
|
||||
return self.run_handler(['--nickname', self.nickname])
|
||||
return self.run_handler([
|
||||
'--nickname', self.nickname,
|
||||
'--algorithm', self.alg,
|
||||
])
|
||||
|
||||
|
||||
class NSSCertDB(DBMAPCommandHandler):
|
||||
|
Loading…
Reference in New Issue
Block a user