Resolves: rhbz#1975406 - IPA installation fails during pki-tomcatd setup.
This commit is contained in:
parent
c52edc300e
commit
c031ff612f
|
@ -0,0 +1,32 @@
|
|||
From 0371cd21488648b779d6b7e2af2d893f86a182bc Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Thu, 24 Jun 2021 11:19:46 +0200
|
||||
Subject: [PATCH] PKCS#12 export: encrypt private key with AES
|
||||
|
||||
pk12util export defaults to "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2
|
||||
CBC". The algorithm is no longer supported by OpenSSL 3.0.0. Use modern
|
||||
PBES2 with AES-128-CBC to encrypt private key and leave public certs
|
||||
unencrypted.
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975406
|
||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||
---
|
||||
base/server/python/pki/server/deployment/pkihelper.py | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
|
||||
index eb407e01e1..7c197b07f1 100644
|
||||
--- a/base/server/python/pki/server/deployment/pkihelper.py
|
||||
+++ b/base/server/python/pki/server/deployment/pkihelper.py
|
||||
@@ -1997,6 +1997,11 @@ def create_file(self, out_file, nickname, out_pwfile,
|
||||
logger.error(log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE)
|
||||
raise Exception(log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE)
|
||||
|
||||
+ # encrypt private keys with PKCS#5 PBES2
|
||||
+ command.extend(["-c", "AES-128-CBC"])
|
||||
+ # don't encrypt public certs
|
||||
+ command.extend(["-C", "NONE"])
|
||||
+
|
||||
logger.debug('Command: %s', ' '.join(command))
|
||||
with open(os.devnull, "w") as fnull:
|
||||
subprocess.check_call(command, stdout=fnull, stderr=fnull)
|
|
@ -13,7 +13,7 @@ License: GPLv2 and LGPLv2
|
|||
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
|
||||
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
|
||||
Version: 11.0.0
|
||||
Release: 0.1.alpha1%{?_timestamp}%{?_commit_id}%{?dist}
|
||||
Release: 0.2.alpha1%{?_timestamp}%{?_commit_id}%{?dist}
|
||||
%global _phase -alpha1
|
||||
|
||||
# To create a tarball from a version tag:
|
||||
|
@ -31,6 +31,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
|
|||
# > pki-VERSION-RELEASE.patch
|
||||
# Patch: pki-VERSION-RELEASE.patch
|
||||
|
||||
Patch1: admin-cert-p12.patch
|
||||
|
||||
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
|
||||
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
|
||||
# so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems
|
||||
|
@ -1370,5 +1372,8 @@ fi
|
|||
|
||||
################################################################################
|
||||
%changelog
|
||||
* Tue Jun 29 2021 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.0.0-0.2
|
||||
- Resolves: rhbz#1975406 - IPA installation fails during pki-tomcatd setup.
|
||||
|
||||
* Fri Jun 25 2021 Red Hat PKI Team <rhcs-maint@redhat.com> - 11.0.0-0.1
|
||||
- Rebase to PKI 11.0.0-alpha1
|
||||
|
|
Loading…
Reference in New Issue