Use AES-128-CBC for PKCS#12 encryption when creating files (FIPS)

A PKCS#12 file is generated from a set of input files in various formats. This file is then used to provide the public and private keys and certificate chain fro importing into an NSS database. In order to work in FIPS mode stronger encryption is required. The default OpenSSL certificate algo is 40-bit RC2 which is not allowed in FIPS mode. The default private key algo is 3DES. Use AES-128 instead for both. Fixes: https://pagure.io/freeipa/issue/7948 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-05-14 10:53:49 -04:00 · 2019-05-14 10:53:49 -04:00 · ecc08e3983
commit ecc08e3983
parent 2042b5a0d2
1 changed files with 2 additions and 0 deletions
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@ -802,6 +802,8 @@ class NSSDatabase:
                    '-out', out_file.name,
                    '-passin', 'file:' + self.pwd_file,
                    '-passout', 'file:' + out_pwdfile.name,
+                    '-certpbe', 'aes-128-cbc',
+                    '-keypbe', 'aes-128-cbc',
                ]
                try:
                    ipautil.run(args)