5d90090676
- Resolves: RHEL-47294 SID generation task is failing when SELinux is in Enforcing mode - Resolves: RHEL-56472 Include latest fixes in python3-ipatests packages - Resolves: RHEL-56917 RFE add a tool to quickly detect and fix issues with IPA ID ranges - Resolves: RHEL-56965 Backport test fixes in python3-ipatests - Resolves: RHEL-58067 ipa replication installation fails in FIPS mode on rhel10 - Resolves: RHEL-59265 Default hbac rules are duplicated on remote server post ipa-migrate in prod-mode - Resolves: RHEL-59266 Also enable SSSD's ssh service when enabling sss_ssh_knownhosts Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
83 lines
2.4 KiB
Diff
83 lines
2.4 KiB
Diff
From c96d172d7d2e87513d9bd51a98591858e1f88def Mon Sep 17 00:00:00 2001
|
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
Date: Thu, 5 Sep 2024 14:52:26 +0200
|
|
Subject: [PATCH] Custodia: in fips mode add -nomac or -nomacver to openssl
|
|
pkcs12
|
|
|
|
In FIPS mode the command openssl pkcs12 fails unless the
|
|
export is called with -nomac and import with -nomacver
|
|
|
|
The command is used by custodia to export private keys from the
|
|
master and import them in the replica.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9577
|
|
|
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
---
|
|
ipaserver/secrets/handlers/pemfile.py | 20 ++++++++++++++++++--
|
|
1 file changed, 18 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
|
|
index ad36bd02008ff068fa7e237dd9653e31f7ac7d85..006d351699f3086653c2e461fdcb8afb53eea281 100644
|
|
--- a/ipaserver/secrets/handlers/pemfile.py
|
|
+++ b/ipaserver/secrets/handlers/pemfile.py
|
|
@@ -8,6 +8,7 @@ import json
|
|
import os
|
|
|
|
from ipaplatform.paths import paths
|
|
+from ipaplatform.tasks import tasks
|
|
from ipapython import ipautil
|
|
from . import common
|
|
|
|
@@ -25,7 +26,7 @@ def export_key(args, tmpdir):
|
|
f.write(password)
|
|
|
|
# OpenSSL does not support pkcs12 export of a cert without key
|
|
- ipautil.run([
|
|
+ cmd = [
|
|
paths.OPENSSL, 'pkcs12', '-export',
|
|
'-in', args.certfile,
|
|
'-out', pk12file,
|
|
@@ -34,7 +35,13 @@ def export_key(args, tmpdir):
|
|
'-keypbe', 'AES-256-CBC',
|
|
'-certpbe', 'AES-256-CBC',
|
|
'-macalg', 'sha384',
|
|
- ])
|
|
+ ]
|
|
+
|
|
+ fips_enabled = tasks.is_fips_enabled()
|
|
+ if fips_enabled:
|
|
+ cmd.append('-nomac')
|
|
+
|
|
+ ipautil.run(cmd)
|
|
|
|
with open(pk12file, 'rb') as f:
|
|
p12data = f.read()
|
|
@@ -69,6 +76,11 @@ def import_key(args, tmpdir):
|
|
'-out', args.certfile,
|
|
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
|
]
|
|
+
|
|
+ fips_enabled = tasks.is_fips_enabled()
|
|
+ if fips_enabled:
|
|
+ cmd.append('-nomacver')
|
|
+
|
|
ipautil.run(cmd, umask=0o027)
|
|
|
|
# get the private key from the file
|
|
@@ -79,6 +91,10 @@ def import_key(args, tmpdir):
|
|
'-out', args.keyfile,
|
|
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
|
|
]
|
|
+
|
|
+ if fips_enabled:
|
|
+ cmd.append('-nomacver')
|
|
+
|
|
ipautil.run(cmd, umask=0o027)
|
|
|
|
|
|
--
|
|
2.46.0
|
|
|