mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
bfead9ce66
Update the ipa-pki-retrieve-key client to issue a request that specifies that AES encryption should be used. If the server responds 404, fall back to a request *without* an algorithm parameter. This handles both of the possible 404 scenarios: a) It is an old server that does not support extra Custodia key parameters; b) The server supports extra parameters but the key does not exist, in which case the fallback request will also fail with 404. Fixes: https://pagure.io/freeipa/issue/8020 Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
82 lines
2.5 KiB
Python
82 lines
2.5 KiB
Python
#!/usr/bin/python3
|
|
|
|
from __future__ import print_function
|
|
|
|
import argparse
|
|
import os
|
|
|
|
from requests import HTTPError
|
|
|
|
from ipalib import constants
|
|
from ipalib.config import Env
|
|
from ipaplatform.paths import paths
|
|
from ipaserver.secrets.client import CustodiaClient
|
|
|
|
|
|
def main():
|
|
env = Env()
|
|
env._finalize()
|
|
|
|
parser = argparse.ArgumentParser("ipa-pki-retrieve-key")
|
|
parser.add_argument("keyname", type=str)
|
|
parser.add_argument("servername", type=str)
|
|
|
|
args = parser.parse_args()
|
|
keyname = "ca_wrapped/{}".format(args.keyname)
|
|
|
|
service = constants.PKI_GSSAPI_SERVICE_NAME
|
|
client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys')
|
|
client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab')
|
|
|
|
for filename in [client_keyfile, client_keytab]:
|
|
if not os.access(filename, os.R_OK):
|
|
parser.error(
|
|
"File '{}' missing or not readable.\n".format(filename)
|
|
)
|
|
|
|
# pylint: disable=no-member
|
|
client = CustodiaClient(
|
|
client_service="{}@{}".format(service, env.host),
|
|
server=args.servername,
|
|
realm=env.realm,
|
|
ldap_uri="ldaps://" + env.host,
|
|
keyfile=client_keyfile,
|
|
keytab=client_keytab,
|
|
)
|
|
|
|
OID_AES128_CBC = "2.16.840.1.101.3.4.1.2"
|
|
|
|
try:
|
|
# Initially request a key wrapped using AES128-CBC.
|
|
# This uses the recent ability to specify additional
|
|
# parameters to a Custodia resource.
|
|
path = f'{keyname}/{OID_AES128_CBC}' # aes128-cbc
|
|
resp = client.fetch_key(path, store=False)
|
|
except HTTPError as e:
|
|
if e.response.status_code == 404:
|
|
# The 404 indicates one of two conditions:
|
|
#
|
|
# a) The server is an older version that does not support
|
|
# extra Custodia parameters. We should retry without
|
|
# specifying an algorithm.
|
|
#
|
|
# b) The key does not exist. At this point we cannot
|
|
# distinguish (a) and (b) but if we retry without
|
|
# specifying an algorithm, the second attempt will
|
|
# also fail with status 404.
|
|
#
|
|
# So the correct way to handle both scenarios is to
|
|
# retry without the algorithm parameter.
|
|
#
|
|
resp = client.fetch_key(keyname, store=False)
|
|
else:
|
|
raise # something else went wrong; re-raise
|
|
|
|
# Print the response JSON to stdout; it is already in the format
|
|
# that Dogtag's ExternalProcessKeyRetriever expects
|
|
print(resp)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|