ipa/0011-Custodia-in-fips-mode-add-nomac-or-nomacver-to-opens.patch

From c96d172d7d2e87513d9bd51a98591858e1f88def Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 5 Sep 2024 14:52:26 +0200
Subject: [PATCH] Custodia: in fips mode add -nomac or -nomacver to openssl
 pkcs12

In FIPS mode the command openssl pkcs12 fails unless the
export is called with -nomac and import with -nomacver

The command is used by custodia to export private keys from the
master and import them in the replica.

Fixes: https://pagure.io/freeipa/issue/9577

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/secrets/handlers/pemfile.py | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
index ad36bd02008ff068fa7e237dd9653e31f7ac7d85..006d351699f3086653c2e461fdcb8afb53eea281 100644
--- a/ipaserver/secrets/handlers/pemfile.py
+++ b/ipaserver/secrets/handlers/pemfile.py
@@ -8,6 +8,7 @@ import json
 import os
 
 from ipaplatform.paths import paths
+from ipaplatform.tasks import tasks
 from ipapython import ipautil
 from . import common
 
@@ -25,7 +26,7 @@ def export_key(args, tmpdir):
         f.write(password)
 
     # OpenSSL does not support pkcs12 export of a cert without key
-    ipautil.run([
+    cmd = [
         paths.OPENSSL, 'pkcs12', '-export',
         '-in', args.certfile,
         '-out', pk12file,
@@ -34,7 +35,13 @@ def export_key(args, tmpdir):
         '-keypbe', 'AES-256-CBC',
         '-certpbe', 'AES-256-CBC',
         '-macalg', 'sha384',
-    ])
+    ]
+
+    fips_enabled = tasks.is_fips_enabled()
+    if fips_enabled:
+        cmd.append('-nomac')
+
+    ipautil.run(cmd)
 
     with open(pk12file, 'rb') as f:
         p12data = f.read()
@@ -69,6 +76,11 @@ def import_key(args, tmpdir):
         '-out', args.certfile,
         '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
     ]
+
+    fips_enabled = tasks.is_fips_enabled()
+    if fips_enabled:
+        cmd.append('-nomacver')
+
     ipautil.run(cmd, umask=0o027)
 
     # get the private key from the file
@@ -79,6 +91,10 @@ def import_key(args, tmpdir):
         '-out', args.keyfile,
         '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
     ]
+
+    if fips_enabled:
+        cmd.append('-nomacver')
+
     ipautil.run(cmd, umask=0o027)
 
 
-- 
2.46.0
ipa-4.12.2.2 - Resolves: RHEL-47294 SID generation task is failing when SELinux is in Enforcing mode - Resolves: RHEL-56472 Include latest fixes in python3-ipatests packages - Resolves: RHEL-56917 RFE add a tool to quickly detect and fix issues with IPA ID ranges - Resolves: RHEL-56965 Backport test fixes in python3-ipatests - Resolves: RHEL-58067 ipa replication installation fails in FIPS mode on rhel10 - Resolves: RHEL-59265 Default hbac rules are duplicated on remote server post ipa-migrate in prod-mode - Resolves: RHEL-59266 Also enable SSSD's ssh service when enabling sss_ssh_knownhosts Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> 2024-09-18 09:23:26 +00:00			`From c96d172d7d2e87513d9bd51a98591858e1f88def Mon Sep 17 00:00:00 2001`
			`From: Florence Blanc-Renaud <flo@redhat.com>`
			`Date: Thu, 5 Sep 2024 14:52:26 +0200`
			`Subject: [PATCH] Custodia: in fips mode add -nomac or -nomacver to openssl`
			`pkcs12`

			`In FIPS mode the command openssl pkcs12 fails unless the`
			`export is called with -nomac and import with -nomacver`

			`The command is used by custodia to export private keys from the`
			`master and import them in the replica.`

			`Fixes: https://pagure.io/freeipa/issue/9577`

			`Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>`
			`Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>`
			`---`
			`ipaserver/secrets/handlers/pemfile.py \| 20 ++++++++++++++++++--`
			`1 file changed, 18 insertions(+), 2 deletions(-)`

			`diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py`
			`index ad36bd02008ff068fa7e237dd9653e31f7ac7d85..006d351699f3086653c2e461fdcb8afb53eea281 100644`
			`--- a/ipaserver/secrets/handlers/pemfile.py`
			`+++ b/ipaserver/secrets/handlers/pemfile.py`
			`@@ -8,6 +8,7 @@ import json`
			`import os`

			`from ipaplatform.paths import paths`
			`+from ipaplatform.tasks import tasks`
			`from ipapython import ipautil`
			`from . import common`

			`@@ -25,7 +26,7 @@ def export_key(args, tmpdir):`
			`f.write(password)`

			`# OpenSSL does not support pkcs12 export of a cert without key`
			`- ipautil.run([`
			`+ cmd = [`
			`paths.OPENSSL, 'pkcs12', '-export',`
			`'-in', args.certfile,`
			`'-out', pk12file,`
			`@@ -34,7 +35,13 @@ def export_key(args, tmpdir):`
			`'-keypbe', 'AES-256-CBC',`
			`'-certpbe', 'AES-256-CBC',`
			`'-macalg', 'sha384',`
			`- ])`
			`+ ]`
			`+`
			`+ fips_enabled = tasks.is_fips_enabled()`
			`+ if fips_enabled:`
			`+ cmd.append('-nomac')`
			`+`
			`+ ipautil.run(cmd)`

			`with open(pk12file, 'rb') as f:`
			`p12data = f.read()`
			`@@ -69,6 +76,11 @@ def import_key(args, tmpdir):`
			`'-out', args.certfile,`
			`'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),`
			`]`
			`+`
			`+ fips_enabled = tasks.is_fips_enabled()`
			`+ if fips_enabled:`
			`+ cmd.append('-nomacver')`
			`+`
			`ipautil.run(cmd, umask=0o027)`

			`# get the private key from the file`
			`@@ -79,6 +91,10 @@ def import_key(args, tmpdir):`
			`'-out', args.keyfile,`
			`'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),`
			`]`
			`+`
			`+ if fips_enabled:`
			`+ cmd.append('-nomacver')`
			`+`
			`ipautil.run(cmd, umask=0o027)`


			`--`
			`2.46.0`