diff options
| author | Nathaniel McCallum <npmccallum@redhat.com> | 2017-06-20 10:31:15 -0400 |
|---|---|---|
| committer | Tomas Krizek <tkrizek@redhat.com> | 2017-09-01 10:50:34 +0200 |
| commit | bc05ab992226febb54e47e3963b694fe96ca4167 (patch) | |
| tree | 0eac00d12a8c724d6837020ec2536539766c605f | |
| parent | c14aa6cdac5795bd2a05606c51e4b9d9f26755a4 (diff) | |
| download | freeipa-bc05ab992226febb54e47e3963b694fe96ca4167.tar.gz freeipa-bc05ab992226febb54e47e3963b694fe96ca4167.tar.xz freeipa-bc05ab992226febb54e47e3963b694fe96ca4167.zip | |
ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace
For some unknown reason, when I wrote the ipa-otptoken-import script
I used bad input data which had the PBKDF2 parameters in the wrong
XML namespace. I have corrected this input data to match RFC 6030.
https://pagure.io/freeipa/issue/7035
Signed-off-by: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
| -rw-r--r-- | ipaserver/install/ipa_otptoken_import.py | 15 | ||||
| -rw-r--r-- | ipatests/test_ipaserver/data/pskc-figure7.xml | 16 |
2 files changed, 14 insertions, 17 deletions
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py index 99b1f7566..9ac88e728 100644 --- a/ipaserver/install/ipa_otptoken_import.py +++ b/ipaserver/install/ipa_otptoken_import.py @@ -55,6 +55,7 @@ class ValidationError(Exception): def fetchAll(element, xpath, conv=lambda x: x): return [conv(e) for e in element.xpath(xpath, namespaces={ + "pkcs5": "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#", "pskc": "urn:ietf:params:xml:ns:keyprov:pskc", "xenc11": "http://www.w3.org/2009/xmlenc11#", "xenc": "http://www.w3.org/2001/04/xmlenc#", @@ -178,18 +179,14 @@ class XMLKeyDerivation(six.with_metaclass(abc.ABCMeta, object)): class PBKDF2KeyDerivation(XMLKeyDerivation): def __init__(self, enckey): - params = fetch(enckey, "./xenc11:DerivedKey/xenc11:KeyDerivationMethod/xenc11:PBKDF2-params") + params = fetch(enckey, "./xenc11:DerivedKey/xenc11:KeyDerivationMethod/pkcs5:PBKDF2-params") if params is None: raise ValueError("XML file is missing PBKDF2 parameters!") - salt = fetch( - params, "./xenc11:Salt/xenc11:Specified/text()", base64.b64decode) - itrs = fetch( - params, "./xenc11:IterationCount/text()", int) - klen = fetch( - params, "./xenc11:KeyLength/text()", int) - hmod = fetch( - params, "./xenc11:PRF/@Algorithm", convertHMACType, hashes.SHA1) + salt = fetch(params, "./Salt/Specified/text()", base64.b64decode) + itrs = fetch(params, "./IterationCount/text()", int) + klen = fetch(params, "./KeyLength/text()", int) + hmod = fetch(params, "./PRF/@Algorithm", convertHMACType, hashes.SHA1) if salt is None: raise ValueError("XML file is missing PBKDF2 salt!") diff --git a/ipatests/test_ipaserver/data/pskc-figure7.xml b/ipatests/test_ipaserver/data/pskc-figure7.xml index 1fb04fc31..808e272a5 100644 --- a/ipatests/test_ipaserver/data/pskc-figure7.xml +++ b/ipatests/test_ipaserver/data/pskc-figure7.xml @@ -8,14 +8,14 @@ <xenc11:DerivedKey> <xenc11:KeyDerivationMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#pbkdf2"> - <xenc11:PBKDF2-params> - <xenc11:Salt> - <xenc11:Specified>Ej7/PEpyEpw=</xenc11:Specified> - </xenc11:Salt> - <xenc11:IterationCount>1000</xenc11:IterationCount> - <xenc11:KeyLength>16</xenc11:KeyLength> - <xenc11:PRF/> - </xenc11:PBKDF2-params> + <pkcs5:PBKDF2-params> + <Salt> + <Specified>Ej7/PEpyEpw=</Specified> + </Salt> + <IterationCount>1000</IterationCount> + <KeyLength>16</KeyLength> + <PRF/> + </pkcs5:PBKDF2-params> </xenc11:KeyDerivationMethod> <xenc:ReferenceList> <xenc:DataReference URI="#ED"/> |