46 lines
1.7 KiB
Diff
46 lines
1.7 KiB
Diff
From ca561f72d05b937e727db76c42d807ba07661494 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Fri, 1 Mar 2024 15:12:33 -0500
|
|
Subject: [PATCH] Vault: add additional fallback to RSA-OAEP wrapping algo
|
|
|
|
There is a fallback when creating the wrapping key but one was missing
|
|
when trying to use the cached transport_cert.
|
|
|
|
This allows, along with forcing keyWrap.useOAEP=true, vault creation
|
|
on an nCipher HSM.
|
|
|
|
This can be seen in HSMs where the device doesn't support the
|
|
PKCS#1 v1.5 mechanism. It will error out with either "invalid
|
|
algorithm" or CKR_FUNCTION_FAILED.
|
|
|
|
Related: https://pagure.io/freeipa/issue/9191
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
---
|
|
ipaclient/plugins/vault.py | 8 ++++++--
|
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
|
|
index a29bd6e5f437d9d07f2d995d7bc884e7f2419c27..96edf09a2060e7b39e1e96c6fa65ae095ec18e73 100644
|
|
--- a/ipaclient/plugins/vault.py
|
|
+++ b/ipaclient/plugins/vault.py
|
|
@@ -755,8 +755,12 @@ class ModVaultData(Local):
|
|
Calls the internal counterpart of the command.
|
|
"""
|
|
# try call with cached transport certificate
|
|
- result = self._do_internal(algo, transport_cert, False,
|
|
- False, *args, **options)
|
|
+ try:
|
|
+ result = self._do_internal(algo, transport_cert, False,
|
|
+ False, *args, **options)
|
|
+ except errors.EncodingError:
|
|
+ result = self._do_internal(algo, transport_cert, False,
|
|
+ True, *args, **options)
|
|
if result is not None:
|
|
return result
|
|
|
|
--
|
|
2.44.0
|
|
|