Use RSA-OAEP instead of RSA PKCS#1 v1.5

jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern alternative. https://fedorahosted.org/freeipa/ticket/6278 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
author: Christian Heimes <cheimes@redhat.com> 2016-09-05 15:38:48 +0200
committer: Martin Basti <mbasti@redhat.com> 2016-09-05 18:11:46 +0200
commit: 4ae4d0d6909e99892442a170288f0eee9610d1c2 (patch)
tree: 6613594e86b14e03c321a719b56adf53458cfdf1 /ipapython/secrets/client.py
parent: a3d178b86ddff9335228d99fe06e8fc89a00235a (diff)
download: freeipa-4ae4d0d6909e99892442a170288f0eee9610d1c2.tar.gz
freeipa-4ae4d0d6909e99892442a170288f0eee9610d1c2.tar.xz
freeipa-4ae4d0d6909e99892442a170288f0eee9610d1c2.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py
index 56ed6f794..d9cc7d0f5 100644
--- a/ipapython/secrets/client.py
+++ b/ipapython/secrets/client.py
@@ -86,7 +86,7 @@ class CustodiaClient(object):
         url = 'https://%s/ipa/keys/%s' % (self.server, keyname)
 
         # Prepare signed/encrypted request
-        encalg = ('RSA1_5', 'A256CBC-HS512')
+        encalg = ('RSA-OAEP', 'A256CBC-HS512')
         request = self.kemcli.make_request(keyname, encalg=encalg)
 
         # Prepare Authentication header
author	Christian Heimes <cheimes@redhat.com>	2016-09-05 15:38:48 +0200
committer	Martin Basti <mbasti@redhat.com>	2016-09-05 18:11:46 +0200
commit	4ae4d0d6909e99892442a170288f0eee9610d1c2 (patch)
tree	6613594e86b14e03c321a719b56adf53458cfdf1 /ipapython/secrets/client.py
parent	a3d178b86ddff9335228d99fe06e8fc89a00235a (diff)
download	freeipa-4ae4d0d6909e99892442a170288f0eee9610d1c2.tar.gz freeipa-4ae4d0d6909e99892442a170288f0eee9610d1c2.tar.xz freeipa-4ae4d0d6909e99892442a170288f0eee9610d1c2.zip