From 3263c10b561ae1c471e13d2970c669cfc77e7c4f Mon Sep 17 00:00:00 2001 From: Ian Wienand Date: Wed, 29 Mar 2023 14:23:23 +1100 Subject: [PATCH] encrypt: use pkeyutl When using encrypt with openssl >= 3 we get a warning put out on stderr that the rsautl tool is deprecated. This switches to the equivalent encryption using pkeyutl. This has been around since ~0.9.8 (2009) so I think we're fine using it unconditionally. Change-Id: Ia1983c33eae363492da51b8e88b8d7ae64c40987 --- zuulclient/utils/__init__.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/zuulclient/utils/__init__.py b/zuulclient/utils/__init__.py index acefc34..6de2d71 100644 --- a/zuulclient/utils/__init__.py +++ b/zuulclient/utils/__init__.py @@ -77,9 +77,14 @@ def encrypt_with_openssl(pubkey_path, plaintext, logger=None): 'Input plaintext length: {} bytes'.format(len(plaintext))) logger.info('Number of chunks: {}'.format(chunks)) - cmd = ['openssl', 'rsautl', '-encrypt', - '-oaep', '-pubin', '-inkey', - pubkey_path] + # NOTE(ianw) 2023-03-29 : previously this used the deprecated + # rsautl tool, which hardcoded sha1 as the oaep hash; so zuul + # assumes that on decryption. Be careful modifying it. + cmd = ['openssl', 'pkeyutl', '-encrypt', '-pubin', + '-inkey', pubkey_path, + '-pkeyopt', 'rsa_padding_mode:oaep', + '-pkeyopt', 'rsa_oaep_md:sha1'] + if logger: logger.debug('Invoking "%s" with each data chunk:' % ' '.join(cmd)) for count in range(chunks):