From 3cc50b49e2a18344937702bd1b170b9faf738845 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Thu, 27 Apr 2017 11:10:36 -0400
Subject: Modify the key client to default to 3DES

When no algorithm OID is provided, we used to default to 3DES.
We need to continue to do this to not break IPA.

Change-Id: I620c3d7cec71be1a529056acc6bf3940e25f2f9d
---
 base/common/python/pki/key.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'base/common/python')

diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py
index e782d54c0..9313b0e59 100644
--- a/base/common/python/pki/key.py
+++ b/base/common/python/pki/key.py
@@ -514,7 +514,7 @@ class KeyClient(object):
         pki.util.read_environment_files()
         client_keyset = os.getenv('KEY_WRAP_PARAMETER_SET')
         if client_keyset is not None:
-            return client_keyset
+            return int(client_keyset)
         return 0
 
     def get_server_keyset(self):
@@ -795,7 +795,7 @@ class KeyClient(object):
             data_type,
             encrypted_data,
             wrapped_session_key,
-            algorithm_oid=None,
+            algorithm_oid=self.encrypt_alg_oid,
             nonce_iv=nonce_iv,
             key_algorithm=key_algorithm,
             key_size=key_size,
@@ -850,8 +850,10 @@ class KeyClient(object):
             raise TypeError('Missing wrapped session key')
 
         if not algorithm_oid:
-            algorithm_oid = pki.crypto.AES_128_CBC_OID
-            # algorithm_oid = KeyClient.DES_EDE3_CBC_OID
+            # legacy apps like IPA call this directly without
+            # setting the algorithm_oid.  We need to keep DES
+            # for backward compatibility
+            algorithm_oid = pki.crypto.DES_EDE3_CBC_OID
 
         if not nonce_iv:
             raise TypeError('Missing nonce IV')
-- 
cgit