oVirt · michalskrivanek · Sep 27, 2022 · Sep 22, 2022 · Sep 27, 2022
@@ -151,11 +151,13 @@ public static String encrypt(String source) throws GeneralSecurityException {
         if (source == null || source.length() == 0) {
             return source;
         } else {
-            Cipher rsa = Cipher.getInstance("RSA");
+            String encrypted = "$";
+            Cipher rsa = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
             rsa.init(Cipher.ENCRYPT_MODE, getCertificate().getPublicKey());
-            return new Base64(0).encodeToString(
+            encrypted += new Base64(0).encodeToString(
                 rsa.doFinal(source.getBytes(StandardCharsets.UTF_8))
             );
+            return encrypted;
         }
     }
 
@@ -170,7 +172,14 @@ public static String decrypt(String source) throws GeneralSecurityException {
         if (source == null || source.length() == 0) {
             return source;
         } else {
-            Cipher rsa = Cipher.getInstance("RSA");
+            String cipherString = "RSA";
+
+            if (source.charAt(0) == '$') {
+                cipherString = "RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING";
+                source = source.substring(1);
+            }
+
+            Cipher rsa = Cipher.getInstance(cipherString);
             rsa.init(Cipher.DECRYPT_MODE, getPrivateKeyEntry().getPrivateKey());
             return new String(
                 rsa.doFinal(new Base64().decode(source)),

@@ -37,6 +37,20 @@ public void testEncrypt() throws Exception {
         assertEquals(plain, plain2);
     }
 
+    @Test
+    public void testDecryptLegacyPKCS1Padding() throws Exception {
+        String plain = "Test123!32@";
+        String encrypted = "Qqvu8XdQUQpXI4NRElDcgg+kcL9aFuN/ypbLacLNxZvOgBzMumg" +
+                           "yx8WcZZIHHuKBXpBgrIjoNiZ1Xa4NxG5PBtwrWVc1aw5Ax59m3u" +
+                           "AN46O4wtz2hNAQTjIHAPvAiXqxwZAeeX7+FxqNsDso4UofujCoT" +
+                           "X/crOpNZmBTm7Y4TIsQ4oYiM2J2viGgK6GlvnpIfI5L6vKzXA/k" +
+                           "nq3ht5h8bPipNJmDMY7xD3HBf9Dac5SPV/A20ouL62CISmXexyp" +
+                           "YxKhRCur7KPWFk86o2h9L0wKQDYr7VxJ9fEi6ciPWtXZUqxnftu" +
+                           "E/Zb6XqnQK/M+cb2k26mDRhPqBL332rz4Hvg==";
+        String plain2 = EngineEncryptionUtils.decrypt(encrypted);
+        assertEquals(plain, plain2);
+    }
+
     @Test
     public void testEncryptThreads() throws Exception {
         List<Thread> l = new LinkedList<>();

@@ -23,6 +23,7 @@
 from collections import namedtuple
 
 from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import padding
 
@@ -404,10 +405,9 @@ def _getRSA():
 
         encrypted_password = _getRSA().public_key().encrypt(
             password.encode(),
-            # TODO replace PKCS1v15 with PSS if/when we know we do not
-            # need m2crypto compatibility. Would likely require changes
-            # also in the engine and in the ovn provider.
-            padding=padding.PKCS1v15(),
+            padding=padding.OAEP(
+                padding.MGF1(hashes.SHA256()), hashes.SHA256(), None
+            ),
         )
         return base64.b64encode(encrypted_password)