51eeb76a79
- rpcserver: validate Kerberos principal name before running kinit Resolves: RHEL-26153 - Vault: add additional fallback to RSA-OAEP wrapping algo Resolves: RHEL-28259 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
44 lines
1.5 KiB
Diff
44 lines
1.5 KiB
Diff
From d7c1ba0672fc8964f7674a526f3019429a551372 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Mar 06 2024 08:34:57 +0000
|
|
Subject: Vault: add additional fallback to RSA-OAEP wrapping algo
|
|
|
|
|
|
There is a fallback when creating the wrapping key but one was missing
|
|
when trying to use the cached transport_cert.
|
|
|
|
This allows, along with forcing keyWrap.useOAEP=true, vault creation
|
|
on an nCipher HSM.
|
|
|
|
This can be seen in HSMs where the device doesn't support the
|
|
PKCS#1 v1.5 mechanism. It will error out with either "invalid
|
|
algorithm" or CKR_FUNCTION_FAILED.
|
|
|
|
Related: https://pagure.io/freeipa/issue/9191
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
|
---
|
|
|
|
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
|
|
index ed16c73..1523187 100644
|
|
--- a/ipaclient/plugins/vault.py
|
|
+++ b/ipaclient/plugins/vault.py
|
|
@@ -757,8 +757,12 @@ class ModVaultData(Local):
|
|
Calls the internal counterpart of the command.
|
|
"""
|
|
# try call with cached transport certificate
|
|
- result = self._do_internal(algo, transport_cert, False,
|
|
- False, *args, **options)
|
|
+ try:
|
|
+ result = self._do_internal(algo, transport_cert, False,
|
|
+ False, *args, **options)
|
|
+ except errors.EncodingError:
|
|
+ result = self._do_internal(algo, transport_cert, False,
|
|
+ True, *args, **options)
|
|
if result is not None:
|
|
return result
|
|
|
|
|