freeipa

Clone
Source Code
GIT

653a7fe Custodia: use a stronger encryption algo when exporting keys

1 file Authored by ftrivino 2 years ago, Committed by frenaud 2 years ago,
raw patch tree parent
1 file changed. 3 lines added. 0 lines removed.
ipaserver/secrets/handlers/pemfile.py
file modified
+3 -0 
    Custodia: use a stronger encryption algo when exporting keys
    
    The Custodia key export handler is using the default's OpenSSL encryption
    scheme for PKCS#12.
    
    This represents an issue when performing a migration from CentOS Stream 8 (C8S)
    to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S
    replica talks to the Custodia server on C8S source server. The later creates an
    encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's
    default encryption scheme, which is no longer supported on C9S.
    
    This commit enforces a stronger encryption algorigthm by adding following
    arguments to the Custodia server handler:
    
    -keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384
    
    The new arguments enforce stronger PBEv2 instead of the insecure PBEv1.
    
    Fixes: https://pagure.io/freeipa/issue/9101
    
    Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
file modified
+3 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.