ipa/SOURCES/0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch

44 lines
1.5 KiB
Diff

From d7c1ba0672fc8964f7674a526f3019429a551372 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mar 06 2024 08:34:57 +0000
Subject: Vault: add additional fallback to RSA-OAEP wrapping algo
There is a fallback when creating the wrapping key but one was missing
when trying to use the cached transport_cert.
This allows, along with forcing keyWrap.useOAEP=true, vault creation
on an nCipher HSM.
This can be seen in HSMs where the device doesn't support the
PKCS#1 v1.5 mechanism. It will error out with either "invalid
algorithm" or CKR_FUNCTION_FAILED.
Related: https://pagure.io/freeipa/issue/9191
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index ed16c73..1523187 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -757,8 +757,12 @@ class ModVaultData(Local):
Calls the internal counterpart of the command.
"""
# try call with cached transport certificate
- result = self._do_internal(algo, transport_cert, False,
- False, *args, **options)
+ try:
+ result = self._do_internal(algo, transport_cert, False,
+ False, *args, **options)
+ except errors.EncodingError:
+ result = self._do_internal(algo, transport_cert, False,
+ True, *args, **options)
if result is not None:
return result