encrypt: use pkeyutl

When using encrypt with openssl >= 3 we get a warning put out on stderr that the rsautl tool is deprecated. This switches to the equivalent encryption using pkeyutl. This has been around since ~0.9.8 (2009) so I think we're fine using it unconditionally. Change-Id: Ia1983c33eae363492da51b8e88b8d7ae64c40987
2023-03-29 14:23:23 +11:00 · 2023-03-29 14:23:23 +11:00 · 3263c10b56
commit 3263c10b56
parent 69ef76bec6
1 changed files with 8 additions and 3 deletions
--- a/zuulclient/utils/init.py
+++ b/zuulclient/utils/init.py
@ -77,9 +77,14 @@ def encrypt_with_openssl(pubkey_path, plaintext, logger=None):
            'Input plaintext length: {} bytes'.format(len(plaintext)))
        logger.info('Number of chunks: {}'.format(chunks))

-    cmd = ['openssl', 'rsautl', '-encrypt',
-           '-oaep', '-pubin', '-inkey',
-           pubkey_path]
+    # NOTE(ianw) 2023-03-29 : previously this used the deprecated
+    # rsautl tool, which hardcoded sha1 as the oaep hash; so zuul
+    # assumes that on decryption.  Be careful modifying it.
+    cmd = ['openssl', 'pkeyutl', '-encrypt', '-pubin',
+           '-inkey', pubkey_path,
+           '-pkeyopt', 'rsa_padding_mode:oaep',
+           '-pkeyopt', 'rsa_oaep_md:sha1']
+
    if logger:
        logger.debug('Invoking "%s" with each data chunk:' % ' '.join(cmd))
    for count in range(chunks):