New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipatests : local ca is not generated under fips #6112
Conversation
2ba6e53
to
7327a66
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change the commit message with a ticket number, not a bz link.
Please explain what the expected behavior is in the commit message and what the previous, buggy behavior was.
7327a66
to
d30a20e
Compare
I have updated the commit message. As for the ticket link all I could find was https://pagure.io/certmonger/pull-request/198 , I could not find a ticket. @rcritten is there a pagure ticket link for this fix ? |
c893a16
to
598a4e5
Compare
to generate the PKCS12 object used for the local CA. This uses operations that are disallowed under fips, and so the local ca pkcs12 creds file is not generated. Earlier /var/lib/certmonger/local/creds was not generated With the fix /var/lib/certmonger/local/creds is generated with AES-128-CBC algorithm for both key and cert Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
598a4e5
to
9fb6ada
Compare
I think I can address automation directly in certmonger rather than in IPA. Let me see what is involved. |
Here is my proposal to fix this in the certmonger unit tests, https://pagure.io/certmonger/pull-request/232 |
I don't mind including it in certmonger repo itself. Is it tested as part of freeipa CI ? |
No but the problem doesn't apply to IPA which doesn't use the local CA helper. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically closed as stale it has not had recent activity. |
Certmonger uses default OpenSSL encryption algorithms
to generate the PKCS12 object used for the local CA.
This uses operations that are disallowed under fips,
and so the local ca pkcs12 creds file is not generated.
Bugzilla Link: https://bugzilla.redhat.com/show_bug.cgi?id=1950132
Signed-off-by: Sumedh Sidhaye ssidhaye@redhat.com