[Freeipa-devel] [PATCH] Password vault

Endi Sukma Dewata edewata at redhat.com
Mon Jun 15 23:02:48 UTC 2015 

On 6/15/2015 2:22 AM, Jan Cholasta wrote:
> I think it would be better to use a new attribute type which inherits
> from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey directly
> for assymetric vault public keys, so that assymetric public key and
> escrow public key are on the same level and you can still use
> ipaPublicKey to refer to either one:
>
>      ipaPublicKey
>          ipaVaultPublicKey
>          ipaEscrowPublicKey
>
>      ( 2.16.840.1.113730.3.8.18.2.? NAME 'ipaVaultPublicKey' DESC
> 'Assymetric vault public key as DER-encoded SubjectPublicKeyInfo (RFC
> 5280)' SUP ipaPublicKey EQUALITY octetStringMatch SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' )
>      ( 2.16.840.1.113730.3.8.18.2.3 NAME 'ipaEscrowPublicKey' DESC 'IPA
> escrow public key as DER-encoded SubjectPublicKeyInfo (RFC 5280)' SUP
> ipaPublicKey EQUALITY octetStringMatch SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' )

OK. To be consistent the parameters need to be renamed too: 
--vault-public-key and --vault-public-key-file.

>>> 1. The vault_add was split into a client-side vault_add and server-side
>>> vault_add_internal since the parameters are different (i.e. public
>>> key file and
>>> future escrow-related params). Since vault_add inherits from Local all
>>> non-primary-key attributes have to be added explicitly.
>
> The split is not really necessary, since the only difference is the
> public_key_file option, which exists only because of the lack of proper
> file support in the framework. This is a different situation from
> vault_{archive,retrieve}, which has two different sets of options on
> client and server side. Escrow adds only ipaescrowpublickey and
> escrow_public_key_file, right? If yes, we can safely keep the command in
> a single piece.

We know the vault-add will have at least two client-only parameters: 
vault_public_key_file and escrow_public_key_file. Keeping these 
parameters on the server API would be wrong and confusing. If the API is 
called on the server side with vault_public_key_file the operation will 
fail. In the previous discussion you considered this as broken API:

> Server API is used not only by the server itself, but also by installers
> for example. Anyway the point is that there *can't* be a broken API like
> this, you should at least raise an error if the command is called from
> server API, although actually separating it into client and server parts
> would be preferable.

Also, originally the vault was designed like this: when you create a 
symmetric vault you're supposed to specify the password as well, similar 
to adding a public key when creating an asymmetric vault. When you 
archive, you're supposed to enter the same password for verification, 
not a new password. So it would look like this:

$ ipa vault-add test --type symmetric
New password: ********
Verify password: ********

$ ipa vault-archive test --in secret1.txt
Password: ******** (same password)

$ ipa vault-archive test --in secret2.txt
Password: ******** (same password)

In the original design the vault-add would also archive a blank data, 
which later could be used to verify the password during vault-archive by 
decrypting the existing data first. There's also a plan to add a 
mechanism to change the password after the ACL patch.

In the current design the vault-add doesn't archive anything, so during 
vault-archive it cannot verify the password because there is nothing to 
decrypt. In other words you can specify different passwords on each 
archival, regardless of previous archivals:

$ ipa vault-add test --type symmetric

$ ipa vault-archive test --in secret1.txt
New password: ********
Verify password: ********

$ ipa vault-archive test --in secret2.txt
New password: ********
Verify password: ********

So basically here are the options:

1. Specify the crypto parameters once during vault creation, then 
reuse/verify the parameters on each archival & retrieval. You can change 
the parameters only with a special command.

2. Don't specify the crypto parameters during vault creation, but 
specify new parameters on each archival. For retrieval you'd have to 
use/verify the parameters specified in the last archival.

I think the first one makes more sense and is easier to use. That also 
means the vault-add will have additional client-only parameters such as 
--password and --password-file.

>>> 2. Since the vault_archive_internal inherits from Update, it accepts
>>> all non
>>> primary-key attributes automatically. This is incorrect since we
>>> don't want to
>>> update these parameters during archival. Can this behavior be
>>> overridden?
>
> Inherit from PKQuery instead (don't forget to add "has_output =
> output.standard_entry").

Previously you didn't want to use LDAPQuery because of semantics 
reasons. Is PKQuery fine semantically? Why not use LDAPQuery since vault 
is an LDAPObject? And to be consistent should vault_retrieve_internal 
inherit from the same class?

> BTW the correct solution would be to have a separate object and commands
> for vault data (e.g. vaultdata object, vault_archive -> vaultdata_mod,
> vault_retrieve -> vauldata_show), then we wouldn't have to deal with
> mixing vault attributes with vault data and could use proper crud base
> classes.

-- 
Endi S. Dewata

More information about the Freeipa-devel mailing list