Went into that rabbit hole... The following seems to work ( user
vault, standard type):
1. Obtain vault config via vaultconfig_show/1. It will give me the
transport key and all the supported wrapping algorithms.
2. Focusing on aes-128-cbc first. Generate 16 byte session key,
encrypt it with transport key and send it via
vault_retrieve_internal/1
3. Get nonce and encrypted data decode from base64, create CBC block
mode of AES and decode it with our session key. Unpad the result.
4. The result seems to be in {"data": base64encoded } format.
Would it be reasonable to assume aes-128-cbc is supported by most installations?
On Wed, Dec 18, 2024 at 10:14 PM Alexander Bokovoy <[email protected]> wrote:
>
> On Срд, 18 сне 2024, Yuriy Halytskyy via FreeIPA-users wrote:
> >Hi,
> >
> >I am trying to retrieve user vault contents using api. Based on "ipa
> >vault-retrieve" command trace it looks like I need to use
> >vault_retrieve_internal/1 call and pass it a session key encrypted
> >with KRA transport public key. Where can I find that public key?
>
> You have to implement what is implemented in ipaclient/plugins/vault.py.
> Vault commands require non-trivial client-side preparation.
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
