rpms/certmonger
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix local CA to work under FIPS

Browse Source 
This patch was provided upstream by the OpenStack team for
TLS-Everywhere support.

This changes the ciphers used when creating PKCS#12 files.

Resolves: #1954618
This commit is contained in:
Rob Crittenden 2021-04-28 10:37:59 -04:00
parent 6c384f9807
commit e6b3bc8410
2 changed files with 44 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
0001-Fix-local-CA-to-work-under-FIPS.patch Normal file
View File

@ -0,0 +1,38 @@
From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 14 Apr 2021 15:34:48 -0400
Subject: [PATCH] Fix local CA to work under FIPS
The PKCS12 file used for the local CA fails to be created because
it uses default OpenSSL encryption algorithms that are disallowed
under FIPS. This patch simply updates the PKCS12_create() command
to use allowed encryption algorithms.
---
src/local.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/local.c b/src/local.c
index 92bea144..2f50ac77 100644
--- a/src/local.c
+++ b/src/local.c
@@ -39,6 +39,7 @@
#include <openssl/asn1.h>
#include <openssl/err.h>
+#include <openssl/obj_mac.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/rand.h>
@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots,
return CM_SUBMIT_STATUS_UNREACHABLE;
}
p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert,
- cas, 0, 0, 0, 0, 0);
+ cas, NID_aes_128_cbc, NID_aes_128_cbc,
+ 0, 0, 0);
if (p12 != NULL) {
if (!i2d_PKCS12_fp(fp, p12)) {
fclose(fp);
--
2.26.3

7
certmonger.spec
View File

@ -28,7 +28,7 @@
Name: certmonger Name: certmonger
Version: 0.79.13 Version: 0.79.13
Release: 3%{?dist} Release: 4%{?dist}
Summary: Certificate status monitor and PKI enrollment client Summary: Certificate status monitor and PKI enrollment client
License: GPLv3+ License: GPLv3+
@ -36,6 +36,8 @@ URL: http://pagure.io/certmonger/
Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
#Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig #Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
Patch: 0001-Fix-local-CA-to-work-under-FIPS.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: gettext-devel BuildRequires: gettext-devel
@ -263,6 +265,9 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Apr 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-4
- Fix local CA to work under FIPS (#1954618)
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.79.13-3 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.79.13-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937