[freeipa PR#3039][opened] Add temporary directory manager
by tiran
URL: https://github.com/freeipa/freeipa/pull/3039
Author: tiran
Title: #3039: Add temporary directory manager
Action: opened
PR body:
"""
The temporary directory manager simplifies the handling of temporary
files that are shared with other processes or kept through out the life
time of the current process. It should only be used in case
tempfile.NamedTemporaryFile is not up for the task.
The manager creates a new temporary directory for each user. The
directory and all its files are accessible by the target user and the
root group ($uid:root / 0o770 / 0o660) to avoid DAC override capability.
The temporary directory is automatically removed on process exit.
Related: https://pagure.io/freeipa/issue/7911
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3039/head:pr3039
git checkout pr3039
4 years, 4 months
[freeipa PR#3483][opened] Support AES wrapping in LWCA key replication
by frasertweedale
URL: https://github.com/freeipa/freeipa/pull/3483
Author: frasertweedale
Title: #3483: Support AES wrapping in LWCA key replication
Action: opened
PR body:
"""
The PR enhances the NSSWrappedCertDB custodia store to accept an optional
symmetric encryption algorithm OID to use for encrypting the key. Also update
the ipa-pki-retrieve-key program to request AES wrapping.
For backwards compatibility when older servers request a key, default to 3DES
(which is what the older server supports).
For backwards compatibility when retrieving a key from an older server, try AES
first, and on HTTP 404 retry without the algorithm OID.
This change depends on Dogtag PR https://github.com/dogtagpki/pki/pull/232, and
new Dogtag release containing the change (so that we can bump the dep min
bound in FreeIPA).
Changes:
```
4afb3c3fa (Fraser Tweedale, 21 hours ago)
ipa-pki-retrieve-key: request AES encryption (with fallback)
Update the ipa-pki-retrieve-key client to issue a request that specifies
that AES encryption should be used. Fall back to a simple request (which
will use default export algorithm) if the server returns 404. The 404
indicates that either:
- It is an old server that does not support extra key arguments
- It is a new server but the key does not exist, in which case the
fallback request will also fail with 404.
Fixes: https://pagure.io/freeipa/issue/8020
c5d150a39 (Fraser Tweedale, 8 days ago)
NSSWrappedCertDB: accept optional symmetric algorithm
Add support for specifying the desired symmetric encryption algorithm for
exporting wrapped key (for LWCA key replication). If not specified,
defaults to DES-EDE3-CBC for backwards compatibility.
Client-side changes will occur in a subsequent commit.
Part of: https://pagure.io/freeipa/issue/8020
86ba401cc (Fraser Tweedale, 8 days ago)
IPASecStore: support extra key arguments
To support lightweight CA key replication using AES, while retaining
backwards compatibility with old servers, it is necessary to signal support
for AES. Whereas we currently request a key with the path:
/keys/ca_wrapped/<nickname>
and whereas paths with > 3 components are unsupported, add support for
handlers to signal that they support extra arguments (defaulting to False),
those arguments being conveyed as additional path components, e.g.:
# 2.16.840.1.101.3.4.1.2 = aes128-cbc
/keys/ca_wrapped/<nickname>/2.16.840.1.101.3.4.1.2
This commit only adds the Custodia support for extra handler arguments.
Work to support LWCA key replication with AES wrapping will continue in
subsequent commits.
Part of: https://pagure.io/freeipa/issue/8020
```
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3483/head:pr3483
git checkout pr3483
4 years, 6 months