No RSA passphrase. Bootstrap adjusted.

NBISweden · Jan 22, 2018 · 1ae2832 · 1ae2832
1 parent 32c0682
commit 1ae2832
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 14 deletions.
diff --git a/deployments/docker/bootstrap/instance.sh b/deployments/docker/bootstrap/instance.sh
@@ -53,8 +53,8 @@ ${GPG_CONF} --kill gpg-agent
 #########################################################################
 
 echomsg "\t* the RSA public and private key"
-${OPENSSL} genrsa -out ${PRIVATE}/${INSTANCE}/rsa/ega.sec -passout pass:${RSA_PASSPHRASE} 2048
-${OPENSSL} rsa -in ${PRIVATE}/${INSTANCE}/rsa/ega.sec -passin pass:${RSA_PASSPHRASE} -pubout -out ${PRIVATE}/${INSTANCE}/rsa/ega.pub
+${OPENSSL} genpkey -algorithm RSA -out ${PRIVATE}/${INSTANCE}/rsa/ega.sec -pkeyopt rsa_keygen_bits:2048
+${OPENSSL} rsa -pubout -in ${PRIVATE}/${INSTANCE}/rsa/ega.sec -out ${PRIVATE}/${INSTANCE}/rsa/ega.pub
 
 #########################################################################
 
@@ -71,7 +71,6 @@ active_master_key = 1
 [master.key.1]
 seckey = /etc/ega/rsa/sec.pem
 pubkey = /etc/ega/rsa/pub.pem
-passphrase = ${RSA_PASSPHRASE}
 EOF
 
 echomsg "\t* ega.conf"
@@ -341,7 +340,6 @@ GPG_PASSPHRASE            = ${GPG_PASSPHRASE}
 GPG_NAME                  = ${GPG_NAME}
 GPG_COMMENT               = ${GPG_COMMENT}
 GPG_EMAIL                 = ${GPG_EMAIL}
-RSA_PASSPHRASE            = ${RSA_PASSPHRASE}
 SSL_SUBJ                  = ${SSL_SUBJ}
 #
 DB_USER                   = ${DB_USER}

diff --git a/deployments/docker/bootstrap/settings/fin1 b/deployments/docker/bootstrap/settings/fin1
@@ -17,8 +17,6 @@ DB_TRY=30
 GPG_NAME="EGA Finland"
 GPG_COMMENT="@CSC"
 GPG_EMAIL="[email protected]"
-
 GPG_PASSPHRASE=$(generate_password 16)
-RSA_PASSPHRASE=$(generate_password 16)
 
 LOG_LEVEL=INFO
diff --git a/deployments/docker/bootstrap/settings/swe1 b/deployments/docker/bootstrap/settings/swe1
@@ -17,8 +17,6 @@ DB_TRY=30
 GPG_NAME="EGA Sweden"
 GPG_COMMENT="@NBIS"
 GPG_EMAIL="[email protected]"
-
 GPG_PASSPHRASE=$(generate_password 16)
-RSA_PASSPHRASE=$(generate_password 16)
 
 LOG_LEVEL=DEBUG
diff --git a/lega/keyserver.py b/lega/keyserver.py
@@ -18,8 +18,7 @@
 PGP_PASSPHRASE    = b'3'
 MASTER_SECKEY     = b'4'
 MASTER_PUBKEY     = b'5'
-MASTER_PASSPHRASE = b'6'
-ACTIVE_MASTER_KEY = b'7'
+ACTIVE_MASTER_KEY = b'6'
 
 # For the match, we turn that off
 ssl.match_hostname = lambda cert, hostname: True
@@ -81,15 +80,13 @@ def main(args=None):
     active_master_key = KEYS.getint('DEFAULT','active_master_key')
     master_seckey = get_file_content(KEYS.get(f'master.key.{active_master_key}','seckey'))
     master_pubkey = get_file_content(KEYS.get(f'master.key.{active_master_key}','pubkey'))
-    master_passphrase = (KEYS.get(f'master.key.{active_master_key}','passphrase')).encode()
 
     secrets = {
         # PGP_SECKEY        : pgp_seckey,
         # PGP_PUBKEY        : pgp_pubkey,
         # PGP_PASSPHRASE    : pgp_passphrase,
         MASTER_SECKEY     : master_seckey,
         MASTER_PUBKEY     : master_pubkey,
-        MASTER_PASSPHRASE : master_passphrase,
         ACTIVE_MASTER_KEY : str(active_master_key).encode(),
     }
 

diff --git a/lega/utils/crypto.py b/lega/utils/crypto.py
@@ -19,6 +19,7 @@
 from Cryptodome.PublicKey import RSA
 from Cryptodome.Random import get_random_bytes
 from Cryptodome.Cipher import AES, PKCS1_OAEP
+from Cryptodome.Hash import SHA256
 
 from . import exceptions, checksum, get_file_content
 
@@ -54,8 +55,8 @@ def encrypt_engine(key,passphrase=None):
     aes = AES.new(key=session_key, mode=AES.MODE_CTR)
 
     LOG.info('Creating RSA cypher')
-    rsa_key = RSA.import_key(key, passphrase = passphrase)
-    rsa = PKCS1_OAEP.new(rsa_key)
+    rsa_key = RSA.import_key(key)
+    rsa = PKCS1_OAEP.new(rsa_key, hashAlgo = SHA256)
 
     encryption_key = rsa.encrypt(session_key)
     LOG.debug(f'\tencryption key = {encryption_key}')