33 lines
1.5 KiB
Diff
33 lines
1.5 KiB
Diff
From 0371cd21488648b779d6b7e2af2d893f86a182bc Mon Sep 17 00:00:00 2001
|
|
From: Christian Heimes <cheimes@redhat.com>
|
|
Date: Thu, 24 Jun 2021 11:19:46 +0200
|
|
Subject: [PATCH] PKCS#12 export: encrypt private key with AES
|
|
|
|
pk12util export defaults to "PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2
|
|
CBC". The algorithm is no longer supported by OpenSSL 3.0.0. Use modern
|
|
PBES2 with AES-128-CBC to encrypt private key and leave public certs
|
|
unencrypted.
|
|
|
|
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1975406
|
|
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
---
|
|
base/server/python/pki/server/deployment/pkihelper.py | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
|
|
index eb407e01e1..7c197b07f1 100644
|
|
--- a/base/server/python/pki/server/deployment/pkihelper.py
|
|
+++ b/base/server/python/pki/server/deployment/pkihelper.py
|
|
@@ -1997,6 +1997,11 @@ def create_file(self, out_file, nickname, out_pwfile,
|
|
logger.error(log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE)
|
|
raise Exception(log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE)
|
|
|
|
+ # encrypt private keys with PKCS#5 PBES2
|
|
+ command.extend(["-c", "AES-128-CBC"])
|
|
+ # don't encrypt public certs
|
|
+ command.extend(["-C", "NONE"])
|
|
+
|
|
logger.debug('Command: %s', ' '.join(command))
|
|
with open(os.devnull, "w") as fnull:
|
|
subprocess.check_call(command, stdout=fnull, stderr=fnull)
|