Set AES as default for KRA archival wrapping

This commit sets AES-128-CBC as default wrapping algorithm as TripleDES (des-ede3-cbc) is not supported anymore in C9S. Fixes: https://pagure.io/freeipa/issue/6524 Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-03-11 17:47:38 +01:00
parent 40c362e1ee
commit b8f45fc689
2 changed files with 12 additions and 8 deletions
--- a/API.txt
+++ b/API.txt
@@ -6559,7 +6559,7 @@ option: Flag('shared?', autofill=True, default=False)
 option: Str('username?', cli_name='user')
 option: Bytes('vault_data')
 option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
@@ -6659,7 +6659,7 @@ option: Bytes('session_key')
 option: Flag('shared?', autofill=True, default=False)
 option: Str('username?', cli_name='user')
 option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
@@ -7329,10 +7329,10 @@ default: vaultcontainer_del/1
 default: vaultcontainer_remove_owner/1
 default: vaultcontainer_show/1
 default: whoami/1
 capability: vault_aes_keywrap 2.246
 capability: messages 2.52
 capability: optional_uid_params 2.54
 capability: permissions2 2.69
 capability: primary_key_types 2.83
 capability: datetime_values 2.84
 capability: dns_name_values 2.88
 capability: vault_aes_keywrap 2.246
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -29,6 +29,8 @@ from ipaplatform.constants import constants as _constants
 from ipapython.dn import DN
 from ipapython.fqdn import gethostfqdn
 from ipapython.version import VERSION, API_VERSION
 from cryptography.hazmat.primitives.ciphers import algorithms, modes
 from cryptography.hazmat.backends.openssl.backend import backend
 FQDN = gethostfqdn()
@@ -379,10 +381,12 @@ ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
 VAULT_WRAPPING_3DES = 'des-ede3-cbc'
 VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc'
 VAULT_WRAPPING_SUPPORTED_ALGOS = (
-    # old default was 3DES
+    # new default and supported since pki-kra >= 10.4
    VAULT_WRAPPING_3DES,
    # supported since pki-kra >= 10.4
    VAULT_WRAPPING_AES128_CBC,
 )
-# 3DES for backwards compatibility
+VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
-VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES
+
 # Add 3DES for backwards compatibility if supported
 if backend.cipher_supported(algorithms.TripleDES(b"\x00" * 8),
                            modes.CBC(b"\x00" * 8)):
    VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)