mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
fd7f4a7411
The Custodia key export handler is using the default's OpenSSL encryption scheme for PKCS#12. This represents an issue when performing a migration from CentOS Stream 8 (C8S) to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S replica talks to the Custodia server on C8S source server. The later creates an encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's default encryption scheme, which is no longer supported on C9S. This commit enforces a stronger encryption algorigthm by adding following arguments to the Custodia server handler: -keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384 The new arguments enforce stronger PBEv2 instead of the insecure PBEv1. Fixes: https://pagure.io/freeipa/issue/9101 Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> |
||
|---|---|---|
| .. | ||
| handlers | ||
| __init__.py | ||
| client.py | ||
| common.py | ||
| kem.py | ||
| service.py | ||
| store.py | ||