From 0371cd21488648b779d6b7e2af2d893f86a182bc Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 24 Jun 2021 11:19:46 +0200
Subject: [PATCH] PKCS#12 export: encrypt private key with AES

pk12util export defaults to "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2
CBC". The algorithm is no longer supported by OpenSSL 3.0.0. Use modern
PBES2 with AES-128-CBC to encrypt private key and leave public certs
unencrypted.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975406
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
 base/server/python/pki/server/deployment/pkihelper.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index eb407e01e1..7c197b07f1 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -1997,6 +1997,11 @@ def create_file(self, out_file, nickname, out_pwfile,
                 logger.error(log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE)
                 raise Exception(log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE)
 
+            # encrypt private keys with PKCS#5 PBES2
+            command.extend(["-c", "AES-128-CBC"])
+            # don't encrypt public certs
+            command.extend(["-C", "NONE"])
+
             logger.debug('Command: %s', ' '.join(command))
             with open(os.devnull, "w") as fnull:
                 subprocess.check_call(command, stdout=fnull, stderr=fnull)