URL: https://github.com/freeipa/freeipa/pull/1333
Author: flo-renaud
Title: #1333: Fix ca less IPA install on fips mode
Action: opened
PR body:
"""
When ipa-server-install is run in fips mode and ca-less, the installer
fails when the keys are provided with --{http|dirsrv|pkinit}-cert-file
in a separate key file.
The installer transforms the key into PKCS#8 format using
openssl pkcs8 -topk8
but this command fails on a fips-enabled server, unless the options
-v2 aes256 -v2prf hmacWithSHA256
are also provided.
Fixes:
https://pagure.io/freeipa/issue/7280
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1333/head:pr1333
git checkout pr1333
From 42449a5afd555cf98d7ecfb023f2f0030a220c56 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Thu, 23 Nov 2017 18:06:56 +0100
Subject: [PATCH] Fix ca less IPA install on fips mode
When ipa-server-install is run in fips mode and ca-less, the installer
fails when the keys are provided with --{http|dirsrv|pkinit}-cert-file
in a separate key file.
The installer transforms the key into PKCS#8 format using
openssl pkcs8 -topk8
but this command fails on a fips-enabled server, unless the options
-v2 aes256 -v2prf hmacWithSHA256
are also provided.
Fixes:
https://pagure.io/freeipa/issue/7280
---
ipapython/certdb.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index de2a42117c..dab97bf64e 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -608,6 +608,7 @@ def import_files(self, files, import_keys=False, key_password=None,
args = [
paths.OPENSSL, 'pkcs8',
'-topk8',
+ '-v2', 'aes256', '-v2prf', 'hmacWithSHA256',
'-passout', 'file:' + self.pwd_file,
]
if ((label != b'PRIVATE KEY' and key_password) or
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
