diff options
| author | Petr Spacek <pspacek@redhat.com> | 2015-09-01 18:16:06 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2015-09-03 18:22:53 +0200 |
| commit | ecf796e9c021a3b06e670f0602e8a10dcfd6f1f1 (patch) | |
| tree | 87a51ecd8c5e4c6a1d75cdb05d1af50d14d721bb /daemons | |
| parent | e84006117637832f63904edeb45b7296151be6ad (diff) | |
| download | freeipa-ecf796e9c021a3b06e670f0602e8a10dcfd6f1f1.tar.gz freeipa-ecf796e9c021a3b06e670f0602e8a10dcfd6f1f1.tar.xz freeipa-ecf796e9c021a3b06e670f0602e8a10dcfd6f1f1.zip | |
DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.
https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'daemons')
| -rwxr-xr-x | daemons/dnssec/ipa-ods-exporter | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index d8c84b7ce..c8d7dbeee 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -54,8 +54,7 @@ KEYTAB_FB = paths.IPA_ODS_EXPORTER_KEYTAB ODS_SE_MAXLINE = 1024 # from ODS common/config.h ODS_DB_LOCK_PATH = "%s%s" % (paths.OPENDNSSEC_KASP_DB, '.our_lock') -# TODO: MECH_RSA_OAEP -SECRETKEY_WRAPPING_MECH = 'rsaPkcs' +SECRETKEY_WRAPPING_MECH = 'rsaPkcsOaep' PRIVKEY_WRAPPING_MECH = 'aesKeyWrapPad' # DNSKEY flag constants @@ -295,7 +294,8 @@ def master2ldap_master_keys_sync(log, ldapkeydb, localhsm): hexlify(mkey_id), hexlify(replica_key_id))) replica_key = localhsm.replica_pubkeys_wrap[replica_key_id] keydata = localhsm.p11.export_wrapped_key(mkey_local.handle, - replica_key.handle, _ipap11helper.MECH_RSA_PKCS) + replica_key.handle, + wrappingmech_name2id[SECRETKEY_WRAPPING_MECH]) mkey_ldap.add_wrapped_data(keydata, SECRETKEY_WRAPPING_MECH, replica_key_id) |