DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.

https://fedorahosted.org/freeipa/ticket/5273 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-09-01 18:16:06 +02:00
parent e840061176
commit ecf796e9c0
1 changed files with 3 additions and 3 deletions
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -54,8 +54,7 @@ KEYTAB_FB = paths.IPA_ODS_EXPORTER_KEYTAB
 ODS_SE_MAXLINE = 1024  # from ODS common/config.h
 ODS_DB_LOCK_PATH = "%s%s" % (paths.OPENDNSSEC_KASP_DB, '.our_lock')

-# TODO: MECH_RSA_OAEP
-SECRETKEY_WRAPPING_MECH = 'rsaPkcs'
+SECRETKEY_WRAPPING_MECH = 'rsaPkcsOaep'
 PRIVKEY_WRAPPING_MECH = 'aesKeyWrapPad'

 # DNSKEY flag constants
@@ -295,7 +294,8 @@ def master2ldap_master_keys_sync(log, ldapkeydb, localhsm):
                hexlify(mkey_id), hexlify(replica_key_id)))
            replica_key = localhsm.replica_pubkeys_wrap[replica_key_id]
            keydata = localhsm.p11.export_wrapped_key(mkey_local.handle,
-                    replica_key.handle, _ipap11helper.MECH_RSA_PKCS)
+                    replica_key.handle,
+                    wrappingmech_name2id[SECRETKEY_WRAPPING_MECH])
            mkey_ldap.add_wrapped_data(keydata, SECRETKEY_WRAPPING_MECH,
                    replica_key_id)