From 979f25c58c7f29f8010a20ff8e499bb75365ba43 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Sep 26 2019 02:47:54 +0000
Subject: NSSWrappedCertDB: accept optional symmetric algorithm


Add support for Custodia ca_wrapped clients to specify the desired
symmetric encryption algorithm for exporting the wrapped signing key
(this mechanism is used for LWCA key replication).  If not
specified, we must assume that the client has an older Dogtag
version that can only import keys wrapped with DES-EDE3-CBC
encryption.

The selected algorithm gets passed to the 'nsswrappedcert' handler,
which in turn passes it to the 'pki ca-authority-key-export' command
(which is part of Dogtag).

Client-side changes will occur in a subsequent commit.

Part of: https://pagure.io/freeipa/issue/8020

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/ipaserver/secrets/handlers/nsswrappedcert.py b/ipaserver/secrets/handlers/nsswrappedcert.py
index 6b7b142..2714d03 100644
--- a/ipaserver/secrets/handlers/nsswrappedcert.py
+++ b/ipaserver/secrets/handlers/nsswrappedcert.py
@@ -26,6 +26,7 @@ def export_key(args, tmpdir):
         'ca-authority-key-export',
         '--wrap-nickname', args.wrap_nickname,
         '--target-nickname', args.nickname,
+        '--algorithm', args.algorithm,
         '-o', wrapped_key_file
     ])
 
@@ -95,6 +96,17 @@ def pki_tomcat_parser():
         help='nick name of target key',
         required=True
     )
+
+    # Caller must specify a cipher.  This gets passed on to
+    # the 'pki ca-authority-key-export' command (part of
+    # Dogtag) via its own --algorithm option.
+    parser.add_argument(
+        '--algorithm',
+        dest='algorithm',
+        help='OID of symmetric wrap algorithm',
+        required=True
+    )
+
     parser.set_defaults(
         nssdb_path=paths.PKI_TOMCAT_ALIAS_DIR,
         nssdb_pwdfile=paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT,
diff --git a/ipaserver/secrets/store.py b/ipaserver/secrets/store.py
index 684828d..eba1b3b 100644
--- a/ipaserver/secrets/store.py
+++ b/ipaserver/secrets/store.py
@@ -86,9 +86,35 @@ class NSSWrappedCertDB(DBMAPCommandHandler):
     private key of the primary CA.
     """
     dbtype = 'NSSDB'
+    supports_extra_args = True
+
+    OID_DES_EDE3_CBC = '1.2.840.113549.3.7'
+
+    def __init__(self, config, dbmap, nickname, *extra_args):
+        super().__init__(config, dbmap, nickname)
+
+        # Extra args is either a single OID specifying desired wrap
+        # algorithm, or empty.  If empty, we must assume that the
+        # client is an old version that only supports DES-EDE3-CBC.
+        #
+        # Using either the client's requested algorithm or the
+        # default of DES-EDE3-CBC, we pass it along to the handler
+        # via the --algorithm option.  The handler, in turn, passes
+        # it along to the 'pki ca-authority-key-export' program
+        # (which is part of Dogtag).
+        #
+        if len(extra_args) > 1:
+            raise InvalidKeyArguments("Too many arguments")
+        if len(extra_args) == 1:
+            self.alg = extra_args[0]
+        else:
+            self.alg = self.OID_DES_EDE3_CBC
 
     def export_key(self):
-        return self.run_handler(['--nickname', self.nickname])
+        return self.run_handler([
+            '--nickname', self.nickname,
+            '--algorithm', self.alg,
+        ])
 
 
 class NSSCertDB(DBMAPCommandHandler):