mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
fd7f4a7411
The Custodia key export handler is using the default's OpenSSL encryption scheme for PKCS#12. This represents an issue when performing a migration from CentOS Stream 8 (C8S) to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S replica talks to the Custodia server on C8S source server. The later creates an encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's default encryption scheme, which is no longer supported on C9S. This commit enforces a stronger encryption algorigthm by adding following arguments to the Custodia server handler: -keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384 The new arguments enforce stronger PBEv2 instead of the insecure PBEv1. Fixes: https://pagure.io/freeipa/issue/9101 Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
122 lines
3.0 KiB
Python
122 lines
3.0 KiB
Python
#
|
|
# Copyright (C) 2019 IPA Project Contributors, see COPYING for license
|
|
#
|
|
"""Export / import PEM cert and key file as PKCS#12 data
|
|
"""
|
|
import base64
|
|
import json
|
|
import os
|
|
|
|
from ipaplatform.paths import paths
|
|
from ipapython import ipautil
|
|
from . import common
|
|
|
|
|
|
def export_key(args, tmpdir):
|
|
"""Export cert and private from PEM files as PKCS#12 file.
|
|
|
|
The PKCS#12 file is encrypted with a password.
|
|
"""
|
|
pk12file = os.path.join(tmpdir, 'export.p12')
|
|
|
|
password = ipautil.ipa_generate_password()
|
|
pk12pwfile = os.path.join(tmpdir, 'passwd')
|
|
with open(pk12pwfile, 'w') as f:
|
|
f.write(password)
|
|
|
|
# OpenSSL does not support pkcs12 export of a cert without key
|
|
ipautil.run([
|
|
paths.OPENSSL, 'pkcs12', '-export',
|
|
'-in', args.certfile,
|
|
'-out', pk12file,
|
|
'-inkey', args.keyfile,
|
|
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
|
'-keypbe', 'AES-256-CBC',
|
|
'-certpbe', 'AES-256-CBC',
|
|
'-macalg', 'sha384',
|
|
])
|
|
|
|
with open(pk12file, 'rb') as f:
|
|
p12data = f.read()
|
|
|
|
data = {
|
|
'export password': password,
|
|
'pkcs12 data': p12data,
|
|
}
|
|
common.json_dump(data, args.exportfile)
|
|
|
|
|
|
def import_key(args, tmpdir):
|
|
"""Export key and certificate from a PKCS#12 file to key and cert files.
|
|
"""
|
|
data = json.load(args.importfile)
|
|
password = data['export password']
|
|
p12data = base64.b64decode(data['pkcs12 data'])
|
|
|
|
pk12pwfile = os.path.join(tmpdir, 'passwd')
|
|
with open(pk12pwfile, 'w') as f:
|
|
f.write(password)
|
|
|
|
pk12file = os.path.join(tmpdir, 'import.p12')
|
|
with open(pk12file, 'wb') as f:
|
|
f.write(p12data)
|
|
|
|
# get the certificate from the file
|
|
cmd = [
|
|
paths.OPENSSL, 'pkcs12',
|
|
'-in', pk12file,
|
|
'-clcerts', '-nokeys',
|
|
'-out', args.certfile,
|
|
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
|
]
|
|
ipautil.run(cmd, umask=0o027)
|
|
|
|
# get the private key from the file
|
|
cmd = [
|
|
paths.OPENSSL, 'pkcs12',
|
|
'-in', pk12file,
|
|
'-nocerts', '-nodes',
|
|
'-out', args.keyfile,
|
|
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
|
]
|
|
ipautil.run(cmd, umask=0o027)
|
|
|
|
|
|
def default_parser():
|
|
parser = common.mkparser(
|
|
description='ipa-custodia PEM file handler'
|
|
)
|
|
parser.add_argument(
|
|
'--certfile',
|
|
help='path to PEM encoded cert file',
|
|
required=True
|
|
)
|
|
parser.add_argument(
|
|
'keyfile',
|
|
help='path to PEM encoded key file',
|
|
required=True
|
|
)
|
|
return parser
|
|
|
|
|
|
def ra_agent_parser():
|
|
parser = common.mkparser(
|
|
description='ipa-custodia RA agent cert handler'
|
|
)
|
|
parser.set_defaults(
|
|
certfile=paths.RA_AGENT_PEM,
|
|
keyfile=paths.RA_AGENT_KEY
|
|
)
|
|
return parser
|
|
|
|
|
|
def main(parser=None):
|
|
if parser is None:
|
|
parser = default_parser()
|
|
|
|
common.main(parser, export_key, import_key)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|