The vault plugin uses NSS for key wrapping and encryption / decryption. Since we are moving away from NSS, the function should be replaced with cryptography-based crypto.
symmetric data wrapping nss.create_context_by_sym_key with CKM_DES3_CBC_PAD is TripleDES in CBC mode with keysize (192 bits, max keysize for 3DES), 64 bit nonce (3DES block size) and PKCS#7 padding.
nss.create_context_by_sym_key
CKM_DES3_CBC_PAD
asymmetric key wrapping nss.pub_wrap_sym_key is PKCS#11 C_WrapKey with mechanism CKM_RSA_PKCS internally. It uses RSA with RSAES-PKCS1-v1_5 padding.
nss.pub_wrap_sym_key
C_WrapKey
CKM_RSA_PKCS
RSAES-PKCS1-v1_5
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.primitives import padding from cryptography.hazmat.backends import default_backend def pyca_decrypt(encrypted_data, nonce, session_key): algo = algorithms.TripleDES(session_key) cipher = Cipher(algo, modes.CBC(nonce), backend=default_backend()) decryptor = cipher.decryptor() unpadder = padding.PKCS7(algo.block_size).unpadder() result = unpadder.update(decryptor.update(encrypted_data)) result += unpadder.update(decryptor.finalize()) result += unpadder.finalize() return result
In the next step we should move away from 3DES to AES and also include a MAC. The vault payload is not secured against malicious modifications. At the moment only the HTTPS transport layer protects the payload.
Metadata Update from @cheimes: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @cheimes: - Custom field affects_doc reset - Custom field component reset - Custom field type reset - Issue close_status updated to: None - Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE) - Issue tagged with: integration
I flagged this ticket with integration because I got requests to reduce and trim the dependency tree for client packages.
Metadata Update from @cheimes: - Custom field affects_doc reset
master:
Metadata Update from @mbasti: - Custom field affects_doc reset - Custom field tester adjusted to wanted - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @mbasti: - Custom field affects_doc reset - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.