From ca561f72d05b937e727db76c42d807ba07661494 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 1 Mar 2024 15:12:33 -0500 Subject: [PATCH] Vault: add additional fallback to RSA-OAEP wrapping algo There is a fallback when creating the wrapping key but one was missing when trying to use the cached transport_cert. This allows, along with forcing keyWrap.useOAEP=true, vault creation on an nCipher HSM. This can be seen in HSMs where the device doesn't support the PKCS#1 v1.5 mechanism. It will error out with either "invalid algorithm" or CKR_FUNCTION_FAILED. Related: https://pagure.io/freeipa/issue/9191 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- ipaclient/plugins/vault.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py index a29bd6e5f437d9d07f2d995d7bc884e7f2419c27..96edf09a2060e7b39e1e96c6fa65ae095ec18e73 100644 --- a/ipaclient/plugins/vault.py +++ b/ipaclient/plugins/vault.py @@ -755,8 +755,12 @@ class ModVaultData(Local): Calls the internal counterpart of the command. """ # try call with cached transport certificate - result = self._do_internal(algo, transport_cert, False, - False, *args, **options) + try: + result = self._do_internal(algo, transport_cert, False, + False, *args, **options) + except errors.EncodingError: + result = self._do_internal(algo, transport_cert, False, + True, *args, **options) if result is not None: return result -- 2.44.0