Create ed25519 key files with secure permissions to avoid risk of insecure chmode call/race condition (LP: #2017430)

2023-04-30 09:25:28 -04:00
parent 2fc00b0218
commit 810d543085
2 changed files with 6 additions and 1 deletions
@@ -64,10 +64,12 @@ def GenEd25519Keys(private_key_file, verbose=True):
    if verbose:
        eprint('generating ' + private_key_file)
    priv_key = skg.generate()
+    if os.name == 'posix':
+        old_umask = os.umask(0o077)
    with open(private_key_file, 'w') as pkf:
        pkf.write(priv_key.encode(encoder=nacl.encoding.Base64Encoder).decode("utf-8"))
    if os.name == 'posix':
-        os.chmod(private_key_file, 0o600)
+        os.umask(old_umask)
    return(priv_key)

 def ExtractRSADnsPublicKey(private_key_file, dns_file, verbose=True):