IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa-pki-retrieve-key: request AES encryption (with fallback)

Browse Source 
Update the ipa-pki-retrieve-key client to issue a request that
specifies that AES encryption should be used.  If the server
responds 404, fall back to a request *without* an algorithm
parameter.  This handles both of the possible 404 scenarios:

a) It is an old server that does not support extra Custodia key
   parameters;

b) The server supports extra parameters but the key does not exist,
   in which case the fallback request will also fail with 404.

Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
This commit is contained in:
Fraser Tweedale 2019-07-31 17:59:33 +10:00
parent 8fbcc33534
commit bfead9ce66
1 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
install/tools/ipa-pki-retrieve-key.in
View File

@ -5,6 +5,8 @@ from __future__ import print_function
import argparse import argparse
import os import os
from requests import HTTPError
from ipalib import constants from ipalib import constants
from ipalib.config import Env from ipalib.config import Env
from ipaplatform.paths import paths from ipaplatform.paths import paths
@ -42,9 +44,37 @@ def main():
keytab=client_keytab, keytab=client_keytab,
) )
OID_AES128_CBC = "2.16.840.1.101.3.4.1.2"
try:
# Initially request a key wrapped using AES128-CBC.
# This uses the recent ability to specify additional
# parameters to a Custodia resource.
path = f'{keyname}/{OID_AES128_CBC}' # aes128-cbc
resp = client.fetch_key(path, store=False)
except HTTPError as e:
if e.response.status_code == 404:
# The 404 indicates one of two conditions:
#
# a) The server is an older version that does not support
# extra Custodia parameters. We should retry without
# specifying an algorithm.
#
# b) The key does not exist. At this point we cannot
# distinguish (a) and (b) but if we retry without
# specifying an algorithm, the second attempt will
# also fail with status 404.
#
# So the correct way to handle both scenarios is to
# retry without the algorithm parameter.
#
resp = client.fetch_key(keyname, store=False)
else:
raise # something else went wrong; re-raise
# Print the response JSON to stdout; it is already in the format # Print the response JSON to stdout; it is already in the format
# that Dogtag's ExternalProcessKeyRetriever expects # that Dogtag's ExternalProcessKeyRetriever expects
print(client.fetch_key(keyname, store=False)) print(resp)
if __name__ == '__main__': if __name__ == '__main__':