[Backport][ipa-4-6] Vault: Migrate to RSA-OAEP #7212
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
WIP as I need to test well. |
|
Hi @rcritten, @flo-renaud I spawned RHEL7.9 server and client: RHEL7.9 server/client with the patches in normal mode (KRA uses PKCS1v15), keyWrap.useOAEP is not in the CS.cfg file:
I manually added UseOAEP in the KRA, and restarted pki-tomcatd@pki-tomcat.service, then:
running with pki-kra-10.5.18-27.el7_9.noarch. |
|
Hi @f-trivino The 7.9 server answers to vaultconfig-show with a result containing only the transport cert. With recent versions the result also contains wrapping_supported_algorithms and wrapping_default_algorithm. |
f-trivino
force-pushed
the
backport_pr6959_ipa-4-6
branch
from
958c706
to
7ff3403
Compare
f-trivino
commented
Feb 12, 2024
f-trivino
commented
Feb 12, 2024
f-trivino
force-pushed
the
backport_pr6959_ipa-4-6
branch
3 times, most recently
from
a6b32e5
to
799176e
Compare
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping algorithm since the plugin was introduced. Allow use of AES-128-CBC as alternative wrapping algorithm for transport of secrets. Fixes: https://pagure.io/freeipa/issue/6524 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit sets AES-128-CBC as default wrapping algorithm as TripleDES (des-ede3-cbc) is not supported anymore in C9S. Fixes: https://pagure.io/freeipa/issue/6524 Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets. This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but setting AES as default ended-up breaking backwards compatibility with older RHEL systems. This commit is tuning some defaults so that interoperability with older RHEL systems works again. The new logic reflects: - when an old client is calling a new server, it doesn't send any value for wrapping_algo and the old value is used (3DES), so that the client can decrypt using 3DES. - when a new client is calling a new server, it sends wrapping_algo = AES128_CBC - when a new client is calling an old server, it doesn't send any value and the default is to use 3DES. Finally, as this logic is able to handle overlapping wrapping algorithm between server and client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa vault-retrieve --help" commands. Fixes: https://pagure.io/freeipa/issue/9259 Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
None of the FIPS certified modules in RHEL support PKCS#1 v1.5 as FIPS approved mechanism. This commit adds support for RSA-OAEP padding as a fallback. Fixes: https://pagure.io/freeipa/issue/9191 Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
If a vault operation fails, the error message just says "InternalError". This commit improves error handling of key archival and retrieval calls by catching the PKIException error and raising it as an IPA error. Related: https://pagure.io/freeipa/issue/9191 Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
f-trivino
force-pushed
the
backport_pr6959_ipa-4-6
branch
from
799176e
to
0f21faf
Compare
|
@flo-renaud I believe this is ready now. I'm removing temp_commit (passing tests are here: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/3974dc32-ca6f-11ee-9f92-fa163eeea21a/) I also did some manual testing with rhel7.9 server and rhel9.4 client with all patches: Without FIPS:
With FIPS:
|
f-trivino
added
needs review
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR was opened manually because PR #6959 was pushed to master and backport to ipa-4-6 is required.