ipa/0029-vault-handle-pyca-InternalError-exception-for-PKCS-1.patch

From dad2f06ed6854abbd81b747c26de6c13dfea327b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 30 Oct 2024 10:48:50 +0200
Subject: [PATCH] vault: handle pyca InternalError exception for PKCS#1 v1.5
 padding

In FIPS mode one cannot use PKCS#1 v1.5 padding. OpenSSL did remove it
from the FIPS provider and will report an error that PyCA cannot
process, so it will raise its own InternalException.

Handle it the same way as ValueError.

Fixes: https://pagure.io/freeipa/issue/9689

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
 ipaclient/plugins/vault.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 96edf09a2060e7b39e1e96c6fa65ae095ec18e73..75415c03a57242ae674636fa31a72db2fa56d6ea 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -37,6 +37,7 @@ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
 from cryptography.hazmat.primitives.padding import PKCS7
 from cryptography.hazmat.primitives.serialization import (
     load_pem_public_key, load_pem_private_key)
+from cryptography.exceptions import InternalError as CryptographyInternalError
 
 from ipaclient.frontend import MethodOverride
 from ipalib import x509
@@ -717,7 +718,7 @@ class ModVaultData(Local):
                     algo.key,
                     padding.PKCS1v15()
                 )
-            except ValueError:
+            except (ValueError, CryptographyInternalError):
                 wrapped_session_key = public_key.encrypt(
                     algo.key,
                     padding.OAEP(
-- 
2.47.0
ipa-4.12.2-7 - Resolves: RHEL-66599 vault-add fails in FIPS mode - Resolves: RHEL-66598 ipa-migrate should also migrate DNS forward zones - Resolves: RHEL-66597 ipa-migrate in stage mode fails with TypeError: 'NoneType' object is not iterable - Resolves: RHEL-66595 Sentences truncated in man pages - Resolves: RHEL-66592 IDP configuration in the IdM WebUI shows Organization is required - Resolves: RHEL-65650 ipa-server-install with setup-dns fails 'job for ipa.service failed because the control process exited with error code' Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> 2024-11-08 10:37:33 +00:00			`From dad2f06ed6854abbd81b747c26de6c13dfea327b Mon Sep 17 00:00:00 2001`
			`From: Alexander Bokovoy <abokovoy@redhat.com>`
			`Date: Wed, 30 Oct 2024 10:48:50 +0200`
			`Subject: [PATCH] vault: handle pyca InternalError exception for PKCS#1 v1.5`
			`padding`

			`In FIPS mode one cannot use PKCS#1 v1.5 padding. OpenSSL did remove it`
			`from the FIPS provider and will report an error that PyCA cannot`
			`process, so it will raise its own InternalException.`

			`Handle it the same way as ValueError.`

			`Fixes: https://pagure.io/freeipa/issue/9689`

			`Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>`
			`Reviewed-By: Francisco Trivino <ftrivino@redhat.com>`
			`---`
			`ipaclient/plugins/vault.py \| 3 ++-`
			`1 file changed, 2 insertions(+), 1 deletion(-)`

			`diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py`
			`index 96edf09a2060e7b39e1e96c6fa65ae095ec18e73..75415c03a57242ae674636fa31a72db2fa56d6ea 100644`
			`--- a/ipaclient/plugins/vault.py`
			`+++ b/ipaclient/plugins/vault.py`
			`@@ -37,6 +37,7 @@ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes`
			`from cryptography.hazmat.primitives.padding import PKCS7`
			`from cryptography.hazmat.primitives.serialization import (`
			`load_pem_public_key, load_pem_private_key)`
			`+from cryptography.exceptions import InternalError as CryptographyInternalError`

			`from ipaclient.frontend import MethodOverride`
			`from ipalib import x509`
			`@@ -717,7 +718,7 @@ class ModVaultData(Local):`
			`algo.key,`
			`padding.PKCS1v15()`
			`)`
			`- except ValueError:`
			`+ except (ValueError, CryptographyInternalError):`
			`wrapped_session_key = public_key.encrypt(`
			`algo.key,`
			`padding.OAEP(`
			`--`
			`2.47.0`