diff options
author | Ade Lee <alee@redhat.com> | 2017-04-28 00:29:45 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2017-04-28 00:56:40 -0400 |
commit | 853220445eb0ce54b6ce241547891605329b7e3e (patch) | |
tree | 55e4191a558f4c56236deb690e22ba27a983dbac /base/common/python | |
parent | b93cec621203c6fb970b57ef042636ba2f9efa3d (diff) | |
download | pki-853220445eb0ce54b6ce241547891605329b7e3e.tar.gz pki-853220445eb0ce54b6ce241547891605329b7e3e.tar.xz pki-853220445eb0ce54b6ce241547891605329b7e3e.zip |
Fix DES3 using python-cryptography provider
Incorrect key size lead to errors when the client side
was set to use 3DES. Also deprecate not providing an
encryption algorithm OID explcitly in
archive_encrypted_data()
Change-Id: I51e8ee2aed1d0cddd9d37d91a93c920be901fdb9
Diffstat (limited to 'base/common/python')
-rw-r--r-- | base/common/python/pki/crypto.py | 7 | ||||
-rw-r--r-- | base/common/python/pki/key.py | 3 |
2 files changed, 9 insertions, 1 deletions
diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py index 0891acd68..7f0384658 100644 --- a/base/common/python/pki/crypto.py +++ b/base/common/python/pki/crypto.py @@ -389,9 +389,14 @@ class CryptographyCryptoProvider(CryptoProvider): self.encrypt_mode = modes.CBC self.encrypt_size = 128 elif level == 0: + # note that 3DES keys are actually 192 bits long, even + # though only 168 bits are used internally. See + # https://tools.ietf.org/html/rfc4949 + # Using 168 here will cause python-cryptography key verification + # checks to fail. self.encrypt_alg = algorithms.TripleDES self.encrypt_mode = modes.CBC - self.encrypt_size = 168 + self.encrypt_size = 192 def generate_nonce_iv(self, mechanism='AES'): """ Create a random initialization vector """ diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py index 9313b0e59..d2b82970e 100644 --- a/base/common/python/pki/key.py +++ b/base/common/python/pki/key.py @@ -28,6 +28,7 @@ from __future__ import print_function import base64 import json import os +import warnings from six import iteritems from six.moves.urllib.parse import quote # pylint: disable=F0401,E0611 @@ -853,6 +854,8 @@ class KeyClient(object): # legacy apps like IPA call this directly without # setting the algorithm_oid. We need to keep DES # for backward compatibility + warnings.warn("algorithm_oid=None is deprecated", + DeprecationWarning) algorithm_oid = pki.crypto.DES_EDE3_CBC_OID if not nonce_iv: |