Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #37384 - properly pass fips=false when checking keystore #444

Merged
merged 1 commit into from
Apr 25, 2024
Merged

Fixes #37384 - properly pass fips=false when checking keystore #444

merged 1 commit into from
Apr 25, 2024

Conversation

evgeni
Copy link
Member

@evgeni evgeni commented Apr 25, 2024
edited
Loading

In a FIPS-enabled environment, calling keytool -list with a wrong password doesn't yield an error, unless we also pass fips=false like we do when creating the keystore:

# keytool -list -keystore ./store -storepass wrong-password
Keystore type: PKCS11
Keystore provider: SunPKCS11-NSS-FIPS

Your keystore contains 0 entries

Passing fips=false makes it correctly raise the expected exception:

# keytool -list -keystore ./store -storepass wrong-password -J-Dcom.redhat.fips=false
keytool error: java.io.IOException: keystore password was incorrect

Fixes: 6fea0bb

@evgeni
Fixes #37384 - properly pass fips=false when checking keystore
50a0399 
In a FIPS-enabled environment, calling `keytool -list` with a wrong
password doesn't yield an error, unless we also pass `fips=false` like
we do when creating the keystore:

    # keytool -list -keystore ./store -storepass wrong-password
    Keystore type: PKCS11
    Keystore provider: SunPKCS11-NSS-FIPS

    Your keystore contains 0 entries

Passing `fips=false` makes it correctly raise the expected exception:

    # keytool -list -keystore ./store -storepass wrong-password -J-Dcom.redhat.fips=false
    keytool error: java.io.IOException: keystore password was incorrect

Fixes: 6fea0bb
ekohl
ekohl approved these changes Apr 25, 2024
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feels like we lack some testing with FIPS. Out of interest, on FIPS with the correct password without the -D option, does that pass?

@evgeni
Copy link
Member Author

evgeni commented Apr 25, 2024

Feels like we lack some testing with FIPS. Out of interest, on FIPS with the correct password without the -D option, does that pass?

FSVO "pass"? :)

# keytool -list -keystore /etc/candlepin/certs/truststore -storepass:file /etc/pki/katello/truststore_password-file
Keystore type: PKCS11
Keystore provider: SunPKCS11-NSS-FIPS

Your keystore contains 0 entries

# keytool -list -keystore /etc/candlepin/certs/truststore -storepass:file /etc/pki/katello/truststore_password-file -J-Dcom.redhat.fips=false
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

artemis-client, Apr 25, 2024, trustedCertEntry, 
Certificate fingerprint (SHA-256): EA:C0:F7:55:9A:F5:0C:33:0D:33:53:10:18:FF:95:FA:2B:B7:5F:AD:BE:8E:3B:66:E9:60:1A:B4:8D:80:65:80
candlepin-ca, Apr 25, 2024, trustedCertEntry, 
Certificate fingerprint (SHA-256): 32:D2:5D:17:ED:15:97:CF:CF:95:FA:63:9B:CC:85:3F:0D:FB:55:76:9F:E8:9C:89:28:AA:CC:AA:48:48:24:8F

@evgeni evgeni merged commit b9667a0 into master Apr 25, 2024
9 checks passed
@evgeni evgeni deleted the i37384 branch April 25, 2024 08:48
@evgeni evgeni added the Bug label Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl approved these changes

Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@evgeni @ekohl