[Freeipa-devel] [freeipa PR#509][synchronized] Migrate OTP import script to python-cryptography

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/509
Author: tiran
 Title: #509: Migrate OTP import script to python-cryptography
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/509/head:pr509
git checkout pr509
From 6f39aaa5dc375d39fc1f4eccf06077122c57fb07 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Mon, 31 Aug 2015 10:46:19 -0400
Subject: [PATCH 1/2] Migrate OTP import script to python-cryptography

https://fedorahosted.org/freeipa/ticket/5192
---
 ipaserver/install/ipa_otptoken_import.py| 104 ++--
 ipatests/test_ipaserver/test_otptoken_import.py | 100 +--
 2 files changed, 80 insertions(+), 124 deletions(-)

diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index 552fdfb..3b2e52a 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -29,11 +29,15 @@
 from lxml import etree
 import dateutil.parser
 import dateutil.tz
-import nss.nss as nss
 import gssapi
 import six
 from six.moves import xrange
 
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf import pbkdf2
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.backends import default_backend
+
 from ipaplatform.paths import paths
 from ipapython import admintool
 from ipalib import api, errors
@@ -119,13 +123,13 @@ def convertAlgorithm(value):
 "Converts encryption URI to (mech, ivlen)."
 
 return {
-"http://www.w3.org/2001/04/xmlenc#aes128-cbc":(nss.CKM_AES_CBC_PAD, 128),
-"http://www.w3.org/2001/04/xmlenc#aes192-cbc":(nss.CKM_AES_CBC_PAD, 192),
-"http://www.w3.org/2001/04/xmlenc#aes256-cbc":(nss.CKM_AES_CBC_PAD, 256),
-"http://www.w3.org/2001/04/xmlenc#tripledes-cbc": (nss.CKM_DES3_CBC_PAD, 64),
-"http://www.w3.org/2001/04/xmldsig-more#camellia128": (nss.CKM_CAMELLIA_CBC_PAD, 128),
-"http://www.w3.org/2001/04/xmldsig-more#camellia192": (nss.CKM_CAMELLIA_CBC_PAD, 192),
-"http://www.w3.org/2001/04/xmldsig-more#camellia256": (nss.CKM_CAMELLIA_CBC_PAD, 256),
+"http://www.w3.org/2001/04/xmlenc#aes128-cbc": (algorithms.AES, modes.CBC, 128),
+"http://www.w3.org/2001/04/xmlenc#aes192-cbc": (algorithms.AES, modes.CBC, 192),
+"http://www.w3.org/2001/04/xmlenc#aes256-cbc": (algorithms.AES, modes.CBC, 256),
+"http://www.w3.org/2001/04/xmlenc#tripledes-cbc": (algorithms.TripleDES, modes.CBC, 64),
+"http://www.w3.org/2001/04/xmldsig-more#camellia128": (algorithms.Camellia, modes.CBC, 128),
+"http://www.w3.org/2001/04/xmldsig-more#camellia192": (algorithms.Camellia, modes.CBC, 192),
+"http://www.w3.org/2001/04/xmldsig-more#camellia256": (algorithms.Camellia, modes.CBC, 256),
 
 # TODO: add support for these formats.
 # "http://www.w3.org/2001/04/xmlenc#kw-aes128": "kw-aes128",
@@ -135,7 +139,7 @@ def convertAlgorithm(value):
 # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia128": "kw-camellia128",
 # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia192": "kw-camellia192",
 # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia256": "kw-camellia256",
-}.get(value.lower(), (None, None))
+}.get(value.lower(), (None, None, None))
 
 
 def convertEncrypted(value, decryptor=None, pconv=base64.b64decode, econv=lambda x: x):
@@ -170,50 +174,29 @@ def __init__(self, enckey):
 if params is None:
 raise ValueError("XML file is missing PBKDF2 parameters!")
 
-self.salt = fetch(params, "./xenc11:Salt/xenc11:Specified/text()", base64.b64decode)
-self.iter = fetch(params, "./xenc11:IterationCount/text()", int)
-self.klen = fetch(params, "./xenc11:KeyLength/text()", int)
-self.hmod = fetch(params, "./xenc11:PRF/@Algorithm", convertHMACType, hashlib.sha1)
+salt = fetch(params, "./xenc11:Salt/xenc11:Specified/text()", base64.b64decode)
+itrs = fetch(params, "./xenc11:IterationCount/text()", int)
+klen = fetch(params, "./xenc11:KeyLength/text()", int)
+hmod = fetch(params, "./xenc11:PRF/@Algorithm", convertHMACType, hashlib.sha1)
 
-if self.salt is None:
+if salt is None:
 raise ValueError("XML file is missing PBKDF2 salt!")
 
-if self.iter is None:
+if itrs is None:
 raise ValueError("XML file is missing PBKDF2 iteration count!")
 
-if self.klen is None:
+if klen is None:
 raise ValueError("XML file is missing PBKDF2 key length!")
 
-def derive(self, masterkey):
-mac = hmac.HMAC(masterkey, None, self.hmod)
-
-# Figure out how many blocks we will have to combine
-# to expand the master key to the desired length.
-blocks = self.klen // mac.digest_size
-  

[Freeipa-devel] [freeipa PR#510][opened] Vault: port key wrapping to python-cryptography

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/510
Author: tiran
 Title: #510: Vault: port key wrapping to python-cryptography
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6650

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/510/head:pr510
git checkout pr510
From 9ec7548f1181f4b5baa2386833a1c3d1732eda87 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Sat, 25 Feb 2017 13:09:11 +0100
Subject: [PATCH] Vault: port key wrapping to python-cryptography

https://fedorahosted.org/freeipa/ticket/6650

Signed-off-by: Christian Heimes 
---
 ipaclient/plugins/vault.py | 102 ++---
 1 file changed, 41 insertions(+), 61 deletions(-)

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 9efb1f1..073d3b5 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -31,10 +31,11 @@
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
 from cryptography.hazmat.primitives.asymmetric import padding
-from cryptography.hazmat.primitives.serialization import load_pem_public_key,\
-load_pem_private_key
-
-import nss.nss as nss
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.primitives.padding import PKCS7
+from cryptography.hazmat.primitives.serialization import (
+load_pem_public_key, load_pem_private_key)
+from cryptography.x509 import load_der_x509_certificate
 
 from ipaclient.frontend import MethodOverride
 from ipalib.frontend import Local, Method, Object
@@ -762,32 +763,25 @@ def forward(self, *args, **options):
 name='vault_type',
 error=_('Invalid vault type'))
 
-# initialize NSS database
-nss.nss_init(api.env.nss_dir)
-
 # retrieve transport certificate
 config = self.api.Command.vaultconfig_show()['result']
 transport_cert_der = config['transport_cert']
-nss_transport_cert = nss.Certificate(transport_cert_der)
+transport_cert = load_der_x509_certificate(
+transport_cert_der, default_backend())
+public_key = transport_cert.public_key()
 
 # generate session key
-mechanism = nss.CKM_DES3_CBC_PAD
-slot = nss.get_best_slot(mechanism)
-key_length = slot.get_best_key_length(mechanism)
-session_key = slot.key_gen(mechanism, None, key_length)
+key_length = max(algorithms.TripleDES.key_sizes)
+algo = algorithms.TripleDES(os.urandom(key_length // 8))
+nonce = os.urandom(algo.block_size // 8)
 
 # wrap session key with transport certificate
-# pylint: disable=no-member
-public_key = nss_transport_cert.subject_public_key_info.public_key
-# pylint: enable=no-member
-wrapped_session_key = nss.pub_wrap_sym_key(mechanism,
-   public_key,
-   session_key)
-
-options['session_key'] = wrapped_session_key.data
+wrapped_session_key = public_key.encrypt(
+algo.key,
+padding.PKCS1v15()
+)
 
-nonce_length = nss.get_iv_length(mechanism)
-nonce = nss.generate_random(nonce_length)
+options['session_key'] = wrapped_session_key
 options['nonce'] = nonce
 
 vault_data = {}
@@ -797,19 +791,16 @@ def forward(self, *args, **options):
 vault_data[u'encrypted_key'] = base64.b64encode(encrypted_key)\
 .decode('utf-8')
 
-json_vault_data = json.dumps(vault_data)
+json_vault_data = json.dumps(vault_data).encode('utf-8')
 
 # wrap vault_data with session key
-iv_si = nss.SecItem(nonce)
-iv_param = nss.param_from_iv(mechanism, iv_si)
-
-encoding_ctx = nss.create_context_by_sym_key(mechanism,
- nss.CKA_ENCRYPT,
- session_key,
- iv_param)
+padder = PKCS7(algo.block_size).padder()
+padded_data = padder.update(json_vault_data)
+padded_data += padder.finalize()
 
-wrapped_vault_data = encoding_ctx.cipher_op(json_vault_data)\
-+ encoding_ctx.digest_final()
+cipher = Cipher(algo, modes.CBC(nonce), backend=default_backend())
+encryptor = cipher.encryptor()
+wrapped_vault_data = encryptor.update(padded_data) + encryptor.finalize()
 
 options['vault_data'] = wrapped_vault_data
 
@@ -925,49 +916,38 @@ def forward(self, *args, **options):
 
 vault_type = vault['ipavaulttype'][0]
 
-# initialize NSS database
-nss.nss_init(api.env.nss_dir)
-
 # retrieve transport certificate
 config = self.api.Command.vault

[Freeipa-devel] [freeipa PR#509][opened] Migrate OTP import script to python-cryptography

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/509
Author: tiran
 Title: #509: Migrate OTP import script to python-cryptography
Action: opened

PR body:
"""
Supersedes @npmccallum PR #486
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/509/head:pr509
git checkout pr509
From a42cc54f44c48aaf105d4765af797676d1802881 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Mon, 31 Aug 2015 10:46:19 -0400
Subject: [PATCH 1/2] Migrate OTP import script to python-cryptography

https://fedorahosted.org/freeipa/ticket/5192
---
 ipaserver/install/ipa_otptoken_import.py| 104 ++--
 ipatests/test_ipaserver/test_otptoken_import.py | 100 +--
 2 files changed, 80 insertions(+), 124 deletions(-)

diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index 00939e0..d5ed12a 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -29,11 +29,15 @@
 from lxml import etree
 import dateutil.parser
 import dateutil.tz
-import nss.nss as nss
 import gssapi
 import six
 from six.moves import xrange
 
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf import pbkdf2
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.backends import default_backend
+
 from ipapython import admintool
 from ipalib import api, errors
 from ipaserver.plugins.ldap2 import AUTOBIND_DISABLED
@@ -118,13 +122,13 @@ def convertAlgorithm(value):
 "Converts encryption URI to (mech, ivlen)."
 
 return {
-"http://www.w3.org/2001/04/xmlenc#aes128-cbc":(nss.CKM_AES_CBC_PAD, 128),
-"http://www.w3.org/2001/04/xmlenc#aes192-cbc":(nss.CKM_AES_CBC_PAD, 192),
-"http://www.w3.org/2001/04/xmlenc#aes256-cbc":(nss.CKM_AES_CBC_PAD, 256),
-"http://www.w3.org/2001/04/xmlenc#tripledes-cbc": (nss.CKM_DES3_CBC_PAD, 64),
-"http://www.w3.org/2001/04/xmldsig-more#camellia128": (nss.CKM_CAMELLIA_CBC_PAD, 128),
-"http://www.w3.org/2001/04/xmldsig-more#camellia192": (nss.CKM_CAMELLIA_CBC_PAD, 192),
-"http://www.w3.org/2001/04/xmldsig-more#camellia256": (nss.CKM_CAMELLIA_CBC_PAD, 256),
+"http://www.w3.org/2001/04/xmlenc#aes128-cbc": (algorithms.AES, modes.CBC, 128),
+"http://www.w3.org/2001/04/xmlenc#aes192-cbc": (algorithms.AES, modes.CBC, 192),
+"http://www.w3.org/2001/04/xmlenc#aes256-cbc": (algorithms.AES, modes.CBC, 256),
+"http://www.w3.org/2001/04/xmlenc#tripledes-cbc": (algorithms.TripleDES, modes.CBC, 64),
+"http://www.w3.org/2001/04/xmldsig-more#camellia128": (algorithms.Camellia, modes.CBC, 128),
+"http://www.w3.org/2001/04/xmldsig-more#camellia192": (algorithms.Camellia, modes.CBC, 192),
+"http://www.w3.org/2001/04/xmldsig-more#camellia256": (algorithms.Camellia, modes.CBC, 256),
 
 # TODO: add support for these formats.
 # "http://www.w3.org/2001/04/xmlenc#kw-aes128": "kw-aes128",
@@ -134,7 +138,7 @@ def convertAlgorithm(value):
 # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia128": "kw-camellia128",
 # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia192": "kw-camellia192",
 # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia256": "kw-camellia256",
-}.get(value.lower(), (None, None))
+}.get(value.lower(), (None, None, None))
 
 
 def convertEncrypted(value, decryptor=None, pconv=base64.b64decode, econv=lambda x: x):
@@ -169,50 +173,29 @@ def __init__(self, enckey):
 if params is None:
 raise ValueError("XML file is missing PBKDF2 parameters!")
 
-self.salt = fetch(params, "./xenc11:Salt/xenc11:Specified/text()", base64.b64decode)
-self.iter = fetch(params, "./xenc11:IterationCount/text()", int)
-self.klen = fetch(params, "./xenc11:KeyLength/text()", int)
-self.hmod = fetch(params, "./xenc11:PRF/@Algorithm", convertHMACType, hashlib.sha1)
+salt = fetch(params, "./xenc11:Salt/xenc11:Specified/text()", base64.b64decode)
+itrs = fetch(params, "./xenc11:IterationCount/text()", int)
+klen = fetch(params, "./xenc11:KeyLength/text()", int)
+hmod = fetch(params, "./xenc11:PRF/@Algorithm", convertHMACType, hashlib.sha1)
 
-if self.salt is None:
+if salt is None:
 raise ValueError("XML file is missing PBKDF2 salt!")
 
-if self.iter is None:
+if itrs is None:
 raise ValueError("XML file is missing PBKDF2 iteration count!")
 
-if self.klen is None:
+if klen is None:
 raise ValueError("XML file is missing PBKDF2 key length!")
 
-def derive(self, masterkey):
-mac = hmac.HMAC(masterkey, None, self.hmod)
-
-# Figure out how many blocks we will have to combine
-# to expand the master key to the desir

[Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/412
Title: #412: Define template version in certmap.conf

flo-renaud commented:
"""
Hi @MartinBasti ,
patch rebased
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/412#issuecomment-282469593
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#412][synchronized] Define template version in certmap.conf

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/412
Author: flo-renaud
 Title: #412: Define template version in certmap.conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/412/head:pr412
git checkout pr412
From 62936511fcb167bf82e5e6f5ff6995101003028d Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Mon, 23 Jan 2017 18:06:53 +0100
Subject: [PATCH] Define template version in certmap.conf

A previous commit (ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e) removed the
definition of VERSION 2 in certmap.conf.template.

ipa-server-upgrade tool compares the template version with the version in
certmap.conf. As VERSION is not defined in either file, it concludes that
version = 0 for both and does not make a backup of certmap.conf even though
it prints that it will.

The fix re-defines VERSION in the template and adapts the code because the
template has changed (it is using $ISSUER_DN instead of
CN=Certificate Authority,$SUBJECT_BASE).

The fix also logs an error when a template file is not versioned.

https://fedorahosted.org/freeipa/ticket/6354
---
 install/share/certmap.conf.template | 4 
 ipaserver/install/server/upgrade.py | 5 -
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template
index d59b095..bf4f4d0 100644
--- a/install/share/certmap.conf.template
+++ b/install/share/certmap.conf.template
@@ -1,3 +1,7 @@
+# VERSION 3 - DO NOT REMOVE THIS LINE
+#
+# This file is managed by IPA and will be overwritten on upgrades.
+#
 #
 # This file configures how a certificate is mapped to an LDAP entry.  See the
 # documentation for more information on this file.
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 90c2be2..a077c13 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -169,6 +169,9 @@ def upgrade_file(sub_dict, filename, template, add=False):
 if new < 0:
 root_logger.error("%s not found." % template)
 
+if new == 0:
+root_logger.error("Template %s is not versioned." % template)
+
 if old == 0:
 # The original file does not have a VERSION entry. This means it's now
 # managed by IPA, but previously was not.
@@ -1558,7 +1561,7 @@ def upgrade_configuration():
 
 subject_base = find_subject_base()
 if subject_base:
-sub_dict['SUBJECT_BASE'] = subject_base
+sub_dict['ISSUER_DN'] = 'CN=Certificate Authority,' + subject_base
 
 ca = cainstance.CAInstance(
 api.env.realm, host_name=api.env.host)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code