freeipa/ipaserver/secrets/handlers
Francisco Trivino fd7f4a7411 Custodia: use a stronger encryption algo when exporting keys
The Custodia key export handler is using the default's OpenSSL encryption
scheme for PKCS#12.

This represents an issue when performing a migration from CentOS Stream 8 (C8S)
to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S
replica talks to the Custodia server on C8S source server. The later creates an
encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's
default encryption scheme, which is no longer supported on C9S.

This commit enforces a stronger encryption algorigthm by adding following
arguments to the Custodia server handler:

-keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384

The new arguments enforce stronger PBEv2 instead of the insecure PBEv1.

Fixes: https://pagure.io/freeipa/issue/9101

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-01-31 10:08:43 +01:00
..
__init__.py Move Custodia secrets handler to scripts 2019-04-26 12:09:22 +02:00
common.py Move Custodia secrets handler to scripts 2019-04-26 12:09:22 +02:00
dmldap.py Don't create log files from help scripts 2019-09-24 15:23:30 +02:00
nsscert.py Move Custodia secrets handler to scripts 2019-04-26 12:09:22 +02:00
nsswrappedcert.py NSSWrappedCertDB: accept optional symmetric algorithm 2019-09-25 12:42:06 +10:00
pemfile.py Custodia: use a stronger encryption algo when exporting keys 2022-01-31 10:08:43 +01:00