Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipatests : local ca is not generated under fips #6112

Closed
wants to merge 2 commits into from
Closed

ipatests : local ca is not generated under fips #6112

wants to merge 2 commits into from

Conversation

ssidhaye
Copy link
Contributor

Certmonger uses default OpenSSL encryption algorithms
to generate the PKCS12 object used for the local CA.
This uses operations that are disallowed under fips,
and so the local ca pkcs12 creds file is not generated.

Bugzilla Link: https://bugzilla.redhat.com/show_bug.cgi?id=1950132

Signed-off-by: Sumedh Sidhaye ssidhaye@redhat.com

fcami
fcami requested changes Nov 26, 2021
View reviewed changes
Copy link
Contributor

@fcami fcami left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please change the commit message with a ticket number, not a bz link.
Please explain what the expected behavior is in the commit message and what the previous, buggy behavior was.

@fcami fcami added ipa-4-9 Mark for backport to ipa 4.9 WIP Work in progress - not ready yet for review labels Nov 26, 2021
@ssidhaye
Copy link
Contributor Author

I have updated the commit message. As for the ticket link all I could find was https://pagure.io/certmonger/pull-request/198 , I could not find a ticket. @rcritten is there a pagure ticket link for this fix ?

@ssidhaye ssidhaye added the re-run Trigger a new run of PR-CI label Nov 26, 2021
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Nov 26, 2021
@ssidhaye ssidhaye force-pushed the local-ca-gen-fips-bz1950132 branch 5 times, most recently from c893a16 to 598a4e5 Compare November 29, 2021 11:06
@ssidhaye ssidhaye added the re-run Trigger a new run of PR-CI label Nov 29, 2021
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Nov 29, 2021
@ssidhaye
Certmonger uses default OpenSSL encryption algorithms
4b8bf3d 
to generate the PKCS12 object used for the local CA.
This uses operations that are disallowed under fips,
and so the local ca pkcs12 creds file is not generated.

Earlier /var/lib/certmonger/local/creds was not generated

With the fix /var/lib/certmonger/local/creds is generated with
AES-128-CBC algorithm for both key and cert

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
@ssidhaye
temp commit
9fb6ada 
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
@rcritten
Copy link
Contributor

I think I can address automation directly in certmonger rather than in IPA. Let me see what is involved.

@rcritten
Copy link
Contributor

Here is my proposal to fix this in the certmonger unit tests, https://pagure.io/certmonger/pull-request/232

@ssidhaye
Copy link
Contributor Author

I don't mind including it in certmonger repo itself. Is it tested as part of freeipa CI ?

@rcritten
Copy link
Contributor

No but the problem doesn't apply to IPA which doesn't use the local CA helper.

@stale
Copy link

stale bot commented Jan 30, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale Stale PR [Bot] label Jan 30, 2022
@stale
Copy link

stale bot commented Feb 13, 2022

This issue has been automatically closed as stale it has not had recent activity.

@stale stale bot closed this Feb 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fcami fcami fcami requested changes

Assignees
No one assigned
Labels
ipa-4-9 Mark for backport to ipa 4.9 stale Stale PR [Bot] WIP Work in progress - not ready yet for review
Projects
None yet
Milestone
No milestone
4 participants
@ssidhaye @rcritten @fcami @freeipa-pr-ci