Issue #6650: [vault] Replace nss crypto with cryptography - freeipa

freeipa

#6650 [vault] Replace nss crypto with cryptography

Closed: fixed 7 years ago Opened 7 years ago by cheimes.

The vault plugin uses NSS for key wrapping and encryption / decryption. Since we are moving away from NSS, the function should be replaced with cryptography-based crypto.

symmetric data wrapping nss.create_context_by_sym_key with CKM_DES3_CBC_PAD is TripleDES in CBC mode with keysize (192 bits, max keysize for 3DES), 64 bit nonce (3DES block size) and PKCS#7 padding.
asymmetric key wrapping nss.pub_wrap_sym_key is PKCS#11 C_WrapKey with mechanism CKM_RSA_PKCS internally. It uses RSA with RSAES-PKCS1-v1_5 padding.

Example

from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives import padding
from cryptography.hazmat.backends import default_backend

def pyca_decrypt(encrypted_data, nonce, session_key):
    algo = algorithms.TripleDES(session_key)
    cipher = Cipher(algo, modes.CBC(nonce), backend=default_backend())
    decryptor = cipher.decryptor()
    unpadder = padding.PKCS7(algo.block_size).unpadder()
    result = unpadder.update(decryptor.update(encrypted_data))
    result += unpadder.update(decryptor.finalize())
    result += unpadder.finalize()
    return result

cheimes commented 7 years ago

In the next step we should move away from 3DES to AES and also include a MAC. The vault payload is not secured against malicious modifications. At the moment only the HTTPS transport layer protects the payload.

Metadata Update from @cheimes:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Metadata Update from @cheimes:
- Custom field affects_doc reset
- Custom field component reset
- Custom field type reset
- Issue close_status updated to: None
- Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)
- Issue tagged with: integration

7 years ago

cheimes commented 7 years ago

I flagged this ticket with integration because I got requests to reduce and trim the dependency tree for client packages.

Metadata Update from @cheimes:
- Custom field affects_doc reset

7 years ago

mbasti commented 7 years ago

master:

ed7a03a Vault: port key wrapping to python-cryptography

Metadata Update from @mbasti:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue set to the milestone: FreeIPA 4.5

7 years ago

Metadata Update from @mbasti:
- Custom field affects_doc reset
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Metadata

Assignee

someone

Tags

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.5

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

wanted

changelog

None

design

None

freeipa

Source Code

#6650 [vault] Replace nss crypto with cryptography Closed: fixed 7 years ago Opened 7 years ago by cheimes.

Example

Metadata

integration

#6650 [vault] Replace nss crypto with cryptography

Closed: fixed 7 years ago Opened 7 years ago by cheimes.