encrypt: use pkeyutl

When using encrypt with openssl >= 3 we get a warning put out on
stderr that the rsautl tool is deprecated.  This switches to the
equivalent encryption using pkeyutl.  This has been around since
~0.9.8 (2009) so I think we're fine using it unconditionally.

Change-Id: Ia1983c33eae363492da51b8e88b8d7ae64c40987
This commit is contained in:
Ian Wienand 2023-03-29 14:23:23 +11:00
parent 69ef76bec6
commit 3263c10b56
No known key found for this signature in database

View File

@ -77,9 +77,14 @@ def encrypt_with_openssl(pubkey_path, plaintext, logger=None):
'Input plaintext length: {} bytes'.format(len(plaintext))) 'Input plaintext length: {} bytes'.format(len(plaintext)))
logger.info('Number of chunks: {}'.format(chunks)) logger.info('Number of chunks: {}'.format(chunks))
cmd = ['openssl', 'rsautl', '-encrypt', # NOTE(ianw) 2023-03-29 : previously this used the deprecated
'-oaep', '-pubin', '-inkey', # rsautl tool, which hardcoded sha1 as the oaep hash; so zuul
pubkey_path] # assumes that on decryption. Be careful modifying it.
cmd = ['openssl', 'pkeyutl', '-encrypt', '-pubin',
'-inkey', pubkey_path,
'-pkeyopt', 'rsa_padding_mode:oaep',
'-pkeyopt', 'rsa_oaep_md:sha1']
if logger: if logger:
logger.debug('Invoking "%s" with each data chunk:' % ' '.join(cmd)) logger.debug('Invoking "%s" with each data chunk:' % ' '.join(cmd))
for count in range(chunks): for count in range(chunks):