From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Apr 14 2021 20:16:44 +0000
Subject: Fix local CA to work under FIPS


The PKCS12 file used for the local CA fails to be created because
it uses default OpenSSL encryption algorithms that are disallowed
under FIPS.  This patch simply updates the PKCS12_create() command
to use allowed encryption algorithms.

---

diff --git a/src/local.c b/src/local.c
index 92bea14..2f50ac7 100644
--- a/src/local.c
+++ b/src/local.c
@@ -39,6 +39,7 @@
 
 #include <openssl/asn1.h>
 #include <openssl/err.h>
+#include <openssl/obj_mac.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
 #include <openssl/rand.h>
@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots,
 			return CM_SUBMIT_STATUS_UNREACHABLE;
 		}
 		p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert,
-				    cas, 0, 0, 0, 0, 0);
+				    cas, NID_aes_128_cbc, NID_aes_128_cbc,
+				    0, 0, 0);
 		if (p12 != NULL) {
 			if (!i2d_PKCS12_fp(fp, p12)) {
 				fclose(fp);