Merge "encrypt: use pkeyutl"

zuulclient/utils/__init__.py

@@ -79,9 +79,14 @@ def encrypt_with_openssl(pubkey_path, plaintext, logger=None):
             'Input plaintext length: {} bytes'.format(len(plaintext)))
         logger.info('Number of chunks: {}'.format(chunks))
 
-    cmd = ['openssl', 'rsautl', '-encrypt',
-           '-oaep', '-pubin', '-inkey',
-           pubkey_path]
+    # NOTE(ianw) 2023-03-29 : previously this used the deprecated
+    # rsautl tool, which hardcoded sha1 as the oaep hash; so zuul
+    # assumes that on decryption.  Be careful modifying it.
+    cmd = ['openssl', 'pkeyutl', '-encrypt', '-pubin',
+           '-inkey', pubkey_path,
+           '-pkeyopt', 'rsa_padding_mode:oaep',
+           '-pkeyopt', 'rsa_oaep_md:sha1']
+
     if logger:
         logger.debug('Invoking "%s" with each data chunk:' % ' '.join(cmd))
     for count in range(chunks):