From 984190eea01ac42cd1f97567a67dd9446e5b0bf9 Mon Sep 17 00:00:00 2001 From: Francisco Trivino Date: Fri, 11 Mar 2022 17:47:38 +0100 Subject: [PATCH] Set AES as default for KRA archival wrapping This commit sets AES-128-CBC as default wrapping algorithm as TripleDES (des-ede3-cbc) is not supported anymore in C9S. Fixes: https://pagure.io/freeipa/issue/6524 Signed-off-by: Francisco Trivino Reviewed-By: Christian Heimes Reviewed-By: Alexander Bokovoy --- API.txt | 6 +++--- ipalib/constants.py | 14 +++++++++----- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/API.txt b/API.txt index f95f2c8457e39f2268386a8a2336952d3285e008..1f27dcc616a6395c56ef91f3453e7620625c7645 100644 --- a/API.txt +++ b/API.txt @@ -6559,7 +6559,7 @@ option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') option: Bytes('vault_data') option: Str('version?') -option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc']) +option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc']) output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') @@ -6659,7 +6659,7 @@ option: Bytes('session_key') option: Flag('shared?', autofill=True, default=False) option: Str('username?', cli_name='user') option: Str('version?') -option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'des-ede3-cbc', u'aes-128-cbc']) +option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc']) output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') @@ -7329,10 +7329,10 @@ default: vaultcontainer_del/1 default: vaultcontainer_remove_owner/1 default: vaultcontainer_show/1 default: whoami/1 -capability: vault_aes_keywrap 2.246 capability: messages 2.52 capability: optional_uid_params 2.54 capability: permissions2 2.69 capability: primary_key_types 2.83 capability: datetime_values 2.84 capability: dns_name_values 2.88 +capability: vault_aes_keywrap 2.246 diff --git a/ipalib/constants.py b/ipalib/constants.py index 11171b2e8aeb6f7306299b2bd7db3a3f39d29d4a..68178004181bebcc8c093dac55e18d5afe0251e5 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -29,6 +29,8 @@ from ipaplatform.constants import constants as _constants from ipapython.dn import DN from ipapython.fqdn import gethostfqdn from ipapython.version import VERSION, API_VERSION +from cryptography.hazmat.primitives.ciphers import algorithms, modes +from cryptography.hazmat.backends.openssl.backend import backend FQDN = gethostfqdn() @@ -379,10 +381,12 @@ ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-' VAULT_WRAPPING_3DES = 'des-ede3-cbc' VAULT_WRAPPING_AES128_CBC = 'aes-128-cbc' VAULT_WRAPPING_SUPPORTED_ALGOS = ( - # old default was 3DES - VAULT_WRAPPING_3DES, - # supported since pki-kra >= 10.4 + # new default and supported since pki-kra >= 10.4 VAULT_WRAPPING_AES128_CBC, ) -# 3DES for backwards compatibility -VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_3DES +VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC + +# Add 3DES for backwards compatibility if supported +if backend.cipher_supported(algorithms.TripleDES(b"\x00" * 8), + modes.CBC(b"\x00" * 8)): + VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,) -- 2.34.1