URL: https://github.com/freeipa/freeipa/pull/1337
Author: flo-renaud
 Title: #1337: [Backport][ipa-4-5] Fix ca less IPA install on fips mode
Action: opened

PR body:
"""
This PR was opened because PR #1333 was pushed to master and backport to 
ipa-4-5 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1337/head:pr1337
git checkout pr1337
From 574567f79907e013b99ce473af05c5625d58cd57 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Thu, 23 Nov 2017 18:06:56 +0100
Subject: [PATCH] Fix ca less IPA install on fips mode

When ipa-server-install is run in fips mode and ca-less, the installer
fails when the keys are provided with --{http|dirsrv|pkinit}-cert-file
in a separate key file.

The installer transforms the key into PKCS#8 format using
openssl pkcs8 -topk8
but this command fails on a fips-enabled server, unless the options
-v2 aes256 -v2prf hmacWithSHA256
are also provided.

Fixes:
https://pagure.io/freeipa/issue/7280

Reviewed-By: Christian Heimes <chei...@redhat.com>
---
 ipapython/certdb.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 114c583402..f198811e0f 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -499,9 +499,13 @@ def import_files(self, files, import_keys=False, key_password=None,
                                 "Can't load private key from both %s and %s" %
                                 (key_file, filename))
 
+                        # the args -v2 aes256 -v2prf hmacWithSHA256 are needed
+                        # on OpenSSL 1.0.2 (fips mode). As soon as FreeIPA
+                        # requires OpenSSL 1.1.0 we'll be able to drop them
                         args = [
                             OPENSSL, 'pkcs8',
                             '-topk8',
+                            '-v2', 'aes256', '-v2prf', 'hmacWithSHA256',
                             '-passout', 'file:' + self.pwd_file,
                         ]
                         if ((label != 'PRIVATE KEY' and key_password) or
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to