From e6b3bc8410b804e5840095e91aeed8b284feab16 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 28 Apr 2021 10:37:59 -0400 Subject: [PATCH] Fix local CA to work under FIPS This patch was provided upstream by the OpenStack team for TLS-Everywhere support. This changes the ciphers used when creating PKCS#12 files. Resolves: #1954618 --- 0001-Fix-local-CA-to-work-under-FIPS.patch | 38 ++++++++++++++++++++++ certmonger.spec | 7 +++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 0001-Fix-local-CA-to-work-under-FIPS.patch diff --git a/0001-Fix-local-CA-to-work-under-FIPS.patch b/0001-Fix-local-CA-to-work-under-FIPS.patch new file mode 100644 index 0000000..7f90105 --- /dev/null +++ b/0001-Fix-local-CA-to-work-under-FIPS.patch @@ -0,0 +1,38 @@ +From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001 +From: Ade Lee +Date: Wed, 14 Apr 2021 15:34:48 -0400 +Subject: [PATCH] Fix local CA to work under FIPS + +The PKCS12 file used for the local CA fails to be created because +it uses default OpenSSL encryption algorithms that are disallowed +under FIPS. This patch simply updates the PKCS12_create() command +to use allowed encryption algorithms. +--- + src/local.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/local.c b/src/local.c +index 92bea144..2f50ac77 100644 +--- a/src/local.c ++++ b/src/local.c +@@ -39,6 +39,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots, + return CM_SUBMIT_STATUS_UNREACHABLE; + } + p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert, +- cas, 0, 0, 0, 0, 0); ++ cas, NID_aes_128_cbc, NID_aes_128_cbc, ++ 0, 0, 0); + if (p12 != NULL) { + if (!i2d_PKCS12_fp(fp, p12)) { + fclose(fp); +-- +2.26.3 + diff --git a/certmonger.spec b/certmonger.spec index fc25e40..e0855f2 100644 --- a/certmonger.spec +++ b/certmonger.spec @@ -28,7 +28,7 @@ Name: certmonger Version: 0.79.13 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Certificate status monitor and PKI enrollment client License: GPLv3+ @@ -36,6 +36,8 @@ URL: http://pagure.io/certmonger/ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz #Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig +Patch: 0001-Fix-local-CA-to-work-under-FIPS.patch + BuildRequires: autoconf BuildRequires: automake BuildRequires: gettext-devel @@ -263,6 +265,9 @@ exit 0 %endif %changelog +* Wed Apr 28 2021 Rob Crittenden - 0.79.13-4 +- Fix local CA to work under FIPS (#1954618) + * Thu Apr 15 2021 Mohan Boddu - 0.79.13-3 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937