URL: https://github.com/freeipa/freeipa/pull/1333 Author: flo-renaud Title: #1333: Fix ca less IPA install on fips mode Action: opened
PR body: """ When ipa-server-install is run in fips mode and ca-less, the installer fails when the keys are provided with --{http|dirsrv|pkinit}-cert-file in a separate key file. The installer transforms the key into PKCS#8 format using openssl pkcs8 -topk8 but this command fails on a fips-enabled server, unless the options -v2 aes256 -v2prf hmacWithSHA256 are also provided. Fixes: https://pagure.io/freeipa/issue/7280 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1333/head:pr1333 git checkout pr1333
From 42449a5afd555cf98d7ecfb023f2f0030a220c56 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Thu, 23 Nov 2017 18:06:56 +0100 Subject: [PATCH] Fix ca less IPA install on fips mode When ipa-server-install is run in fips mode and ca-less, the installer fails when the keys are provided with --{http|dirsrv|pkinit}-cert-file in a separate key file. The installer transforms the key into PKCS#8 format using openssl pkcs8 -topk8 but this command fails on a fips-enabled server, unless the options -v2 aes256 -v2prf hmacWithSHA256 are also provided. Fixes: https://pagure.io/freeipa/issue/7280 --- ipapython/certdb.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index de2a42117c..dab97bf64e 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -608,6 +608,7 @@ def import_files(self, files, import_keys=False, key_password=None, args = [ paths.OPENSSL, 'pkcs8', '-topk8', + '-v2', 'aes256', '-v2prf', 'hmacWithSHA256', '-passout', 'file:' + self.pwd_file, ] if ((label != b'PRIVATE KEY' and key_password) or
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org