From c96d172d7d2e87513d9bd51a98591858e1f88def Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 5 Sep 2024 14:52:26 +0200
Subject: [PATCH] Custodia: in fips mode add -nomac or -nomacver to openssl
 pkcs12

In FIPS mode the command openssl pkcs12 fails unless the
export is called with -nomac and import with -nomacver

The command is used by custodia to export private keys from the
master and import them in the replica.

Fixes: https://pagure.io/freeipa/issue/9577

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/secrets/handlers/pemfile.py | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
index ad36bd02008ff068fa7e237dd9653e31f7ac7d85..006d351699f3086653c2e461fdcb8afb53eea281 100644
--- a/ipaserver/secrets/handlers/pemfile.py
+++ b/ipaserver/secrets/handlers/pemfile.py
@@ -8,6 +8,7 @@ import json
 import os
 
 from ipaplatform.paths import paths
+from ipaplatform.tasks import tasks
 from ipapython import ipautil
 from . import common
 
@@ -25,7 +26,7 @@ def export_key(args, tmpdir):
         f.write(password)
 
     # OpenSSL does not support pkcs12 export of a cert without key
-    ipautil.run([
+    cmd = [
         paths.OPENSSL, 'pkcs12', '-export',
         '-in', args.certfile,
         '-out', pk12file,
@@ -34,7 +35,13 @@ def export_key(args, tmpdir):
         '-keypbe', 'AES-256-CBC',
         '-certpbe', 'AES-256-CBC',
         '-macalg', 'sha384',
-    ])
+    ]
+
+    fips_enabled = tasks.is_fips_enabled()
+    if fips_enabled:
+        cmd.append('-nomac')
+
+    ipautil.run(cmd)
 
     with open(pk12file, 'rb') as f:
         p12data = f.read()
@@ -69,6 +76,11 @@ def import_key(args, tmpdir):
         '-out', args.certfile,
         '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
     ]
+
+    fips_enabled = tasks.is_fips_enabled()
+    if fips_enabled:
+        cmd.append('-nomacver')
+
     ipautil.run(cmd, umask=0o027)
 
     # get the private key from the file
@@ -79,6 +91,10 @@ def import_key(args, tmpdir):
         '-out', args.keyfile,
         '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
     ]
+
+    if fips_enabled:
+        cmd.append('-nomacver')
+
     ipautil.run(cmd, umask=0o027)
 
 
-- 
2.46.0