ipalib/constants.py: factor out TripleDES use

Cryptography 43 started to warn that in version 48 it will remove
TripleDES support. Change the code to detect missing TripleDES algorithm
and do not fail.

Related: https://pagure.io/freeipa/issue/9641

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Alexander Bokovoy 2024-07-31 11:44:57 +03:00 committed by Rob Crittenden
parent 7f9c890c04
commit fc02904340
2 changed files with 15 additions and 7 deletions

View File

@ -381,6 +381,7 @@ VAULT_WRAPPING_SUPPORTED_ALGOS = (
VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
# Add 3DES for backwards compatibility if supported # Add 3DES for backwards compatibility if supported
if backend.cipher_supported(algorithms.TripleDES(b"\x00" * 8), if getattr(algorithms, 'TripleDES', None):
modes.CBC(b"\x00" * 8)): if backend.cipher_supported(algorithms.TripleDES(
b"\x00" * 8), modes.CBC(b"\x00" * 8)):
VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,) VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)

View File

@ -42,6 +42,7 @@ from cryptography.hazmat.backends import default_backend
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipapython import admintool from ipapython import admintool
from ipalib import api, errors from ipalib import api, errors
from ipalib.constants import VAULT_WRAPPING_SUPPORTED_ALGOS, VAULT_WRAPPING_3DES
from ipaserver.plugins.ldap2 import AUTOBIND_DISABLED from ipaserver.plugins.ldap2 import AUTOBIND_DISABLED
if six.PY3: if six.PY3:
@ -144,15 +145,13 @@ def convertHMACType(value):
def convertAlgorithm(value): def convertAlgorithm(value):
"Converts encryption URI to (mech, ivlen)." "Converts encryption URI to (mech, ivlen)."
return { supported_algs = {
"http://www.w3.org/2001/04/xmlenc#aes128-cbc": ( "http://www.w3.org/2001/04/xmlenc#aes128-cbc": (
algorithms.AES, modes.CBC, 128), algorithms.AES, modes.CBC, 128),
"http://www.w3.org/2001/04/xmlenc#aes192-cbc": ( "http://www.w3.org/2001/04/xmlenc#aes192-cbc": (
algorithms.AES, modes.CBC, 192), algorithms.AES, modes.CBC, 192),
"http://www.w3.org/2001/04/xmlenc#aes256-cbc": ( "http://www.w3.org/2001/04/xmlenc#aes256-cbc": (
algorithms.AES, modes.CBC, 256), algorithms.AES, modes.CBC, 256),
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc": (
algorithms.TripleDES, modes.CBC, 64),
"http://www.w3.org/2001/04/xmldsig-more#camellia128": ( "http://www.w3.org/2001/04/xmldsig-more#camellia128": (
algorithms.Camellia, modes.CBC, 128), algorithms.Camellia, modes.CBC, 128),
"http://www.w3.org/2001/04/xmldsig-more#camellia192": ( "http://www.w3.org/2001/04/xmldsig-more#camellia192": (
@ -168,7 +167,15 @@ def convertAlgorithm(value):
# "http://www.w3.org/2001/04/xmldsig-more#kw-camellia128": "kw-camellia128", # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia128": "kw-camellia128",
# "http://www.w3.org/2001/04/xmldsig-more#kw-camellia192": "kw-camellia192", # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia192": "kw-camellia192",
# "http://www.w3.org/2001/04/xmldsig-more#kw-camellia256": "kw-camellia256", # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia256": "kw-camellia256",
}.get(value.lower(), (None, None, None)) }
# We don't deal with VAULT here but if VAULT_WRAPPING_3DES is not present
# in the list of the vault wrapping algorithms, we cannot use 3DES anywhere
if VAULT_WRAPPING_3DES in VAULT_WRAPPING_SUPPORTED_ALGOS:
supported_algs["http://www.w3.org/2001/04/xmlenc#tripledes-cbc"] = (
algorithms.TripleDES, modes.CBC, 64)
return supported_algs.get(value.lower(), (None, None, None))
def convertEncrypted(value, decryptor=None, pconv=base64.b64decode, econv=lambda x: x): def convertEncrypted(value, decryptor=None, pconv=base64.b64decode, econv=lambda x: x):