DandelionNStuff/dkimpy-smtputf8
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create ed25519 key files with secure permissions to avoid risk of insecure chmode call/race condition (LP: #2017430)

Browse Source
This commit is contained in:
Scott Kitterman
2023-04-30 09:25:28 -04:00
parent 2fc00b0218
commit 810d543085
2 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ChangeLog
+3
View File
@@ -1,6 +1,9 @@
Version 1.1.3 Version 1.1.3
- Catch nacl.exceptions.ValueError and raise KeyFormatError, similar to how - Catch nacl.exceptions.ValueError and raise KeyFormatError, similar to how
RSA key errors are treated (LP: #2018021) RSA key errors are treated (LP: #2018021)
- Create ed25519 key files with secure permissions to avoid risk of
insecure chmode call/race condition (Thanks to Hanno Böck for the report
and the suggested fix) (LP: #2017430)
2023-04-09 Version 1.1.2 2023-04-09 Version 1.1.2
- Verify correct AMS header is used for ARC seal verification (André Cruz) - Verify correct AMS header is used for ARC seal verification (André Cruz)
dkim/dknewkey.py
+3 -1
View File
@@ -64,10 +64,12 @@ def GenEd25519Keys(private_key_file, verbose=True):
if verbose: if verbose:
eprint('generating ' + private_key_file) eprint('generating ' + private_key_file)
priv_key = skg.generate() priv_key = skg.generate()
if os.name == 'posix':
old_umask = os.umask(0o077)
with open(private_key_file, 'w') as pkf: with open(private_key_file, 'w') as pkf:
pkf.write(priv_key.encode(encoder=nacl.encoding.Base64Encoder).decode("utf-8")) pkf.write(priv_key.encode(encoder=nacl.encoding.Base64Encoder).decode("utf-8"))
if os.name == 'posix': if os.name == 'posix':
os.chmod(private_key_file, 0o600) os.umask(old_umask)
return(priv_key) return(priv_key)
def ExtractRSADnsPublicKey(private_key_file, dns_file, verbose=True): def ExtractRSADnsPublicKey(private_key_file, dns_file, verbose=True):