URL:
https://github.com/freeipa/freeipa/pull/3483
Author: frasertweedale
Title: #3483: Support AES wrapping in LWCA key replication
Action: opened
PR body:
"""
The PR enhances the NSSWrappedCertDB custodia store to accept an optional
symmetric encryption algorithm OID to use for encrypting the key. Also update
the ipa-pki-retrieve-key program to request AES wrapping.
For backwards compatibility when older servers request a key, default to 3DES
(which is what the older server supports).
For backwards compatibility when retrieving a key from an older server, try AES
first, and on HTTP 404 retry without the algorithm OID.
This change depends on Dogtag PR
https://github.com/dogtagpki/pki/pull/232, and
new Dogtag release containing the change (so that we can bump the dep min
bound in FreeIPA).
Changes:
```
4afb3c3fa (Fraser Tweedale, 21 hours ago)
ipa-pki-retrieve-key: request AES encryption (with fallback)
Update the ipa-pki-retrieve-key client to issue a request that specifies
that AES encryption should be used. Fall back to a simple request (which
will use default export algorithm) if the server returns 404. The 404
indicates that either:
- It is an old server that does not support extra key arguments
- It is a new server but the key does not exist, in which case the
fallback request will also fail with 404.
Fixes:
https://pagure.io/freeipa/issue/8020
c5d150a39 (Fraser Tweedale, 8 days ago)
NSSWrappedCertDB: accept optional symmetric algorithm
Add support for specifying the desired symmetric encryption algorithm for
exporting wrapped key (for LWCA key replication). If not specified,
defaults to DES-EDE3-CBC for backwards compatibility.
Client-side changes will occur in a subsequent commit.
Part of:
https://pagure.io/freeipa/issue/8020
86ba401cc (Fraser Tweedale, 8 days ago)
IPASecStore: support extra key arguments
To support lightweight CA key replication using AES, while retaining
backwards compatibility with old servers, it is necessary to signal support
for AES. Whereas we currently request a key with the path:
/keys/ca_wrapped/<nickname>
and whereas paths with > 3 components are unsupported, add support for
handlers to signal that they support extra arguments (defaulting to False),
those arguments being conveyed as additional path components, e.g.:
# 2.16.840.1.101.3.4.1.2 = aes128-cbc
/keys/ca_wrapped/<nickname>/2.16.840.1.101.3.4.1.2
This commit only adds the Custodia support for extra handler arguments.
Work to support LWCA key replication with AES wrapping will continue in
subsequent commits.
Part of:
https://pagure.io/freeipa/issue/8020
```
"""
To pull the PR as Git branch:
git remote add ghfreeipa
https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3483/head:pr3483
git checkout pr3483