From 305fcc25b4dd0aea4f87a0508c5f47c7634cfb82 Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Jan 30 2024 15:18:02 +0000
Subject: kra: set RSA-OAEP as default wrapping algo when FIPS is enabled


Vault uses PKCS1v15 as default padding wrapping algo, which is not an approved
FIPS algorithm. This commit ensures that KRA is installed with RSA-OAEP if FIPS
is enabled. It also handles upgrade path.

Fixes: https://pagure.io/freeipa/issue/9191

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini
index 696bee9..12cfac3 100644
--- a/install/share/ipaca_default.ini
+++ b/install/share/ipaca_default.ini
@@ -164,3 +164,6 @@ pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
 # We will use the dbuser created for the CA.
 pki_share_db=True
 pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
+
+# KRA padding, set RSA-OAEP in FIPS mode
+pki_use_oaep_rsa_keywrap=%(fips_use_oaep_rsa_keywrap)s
\ No newline at end of file
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 7fdf2e0..e0aa129 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -1020,7 +1020,9 @@ class PKIIniLoader:
             # for softhsm2 testing
             softhsm2_so=paths.LIBSOFTHSM2_SO,
             # Configure a more secure AJP password by default
-            ipa_ajp_secret=ipautil.ipa_generate_password(special=None)
+            ipa_ajp_secret=ipautil.ipa_generate_password(special=None),
+            # in FIPS mode use RSA-OAEP wrapping padding algo as default
+            fips_use_oaep_rsa_keywrap=tasks.is_fips_enabled()
         )
 
     @classmethod
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index d0636a5..0fd1486 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -284,6 +284,18 @@ class KRAInstance(DogtagInstance):
 
         # A restart is required
 
+    def enable_oaep_wrap_algo(self):
+        """
+        Enable KRA OAEP key wrap algorithm
+        """
+        with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
+            directivesetter.set_directive(
+                self.config,
+                'keyWrap.useOAEP',
+                'true', quotes=False, separator='=')
+
+        # A restart is required
+
     def update_cert_config(self, nickname, cert):
         """
         When renewing a KRA subsystem certificate the configuration file
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index f42faea..31d4f83 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1794,6 +1794,18 @@ def upgrade_configuration():
             else:
                 logger.info('ephemeralRequest is already enabled')
 
+            if tasks.is_fips_enabled():
+                logger.info('[Ensuring KRA OAEP wrap algo is enabled in FIPS]')
+                value = directivesetter.get_directive(
+                    paths.KRA_CS_CFG_PATH,
+                    'keyWrap.useOAEP',
+                    separator='=')
+                if value is None or value.lower() != 'true':
+                    logger.info('Use the OAEP key wrap algo')
+                    kra.enable_oaep_wrap_algo()
+                else:
+                    logger.info('OAEP key wrap algo is already enabled')
+
     # several upgrade steps require running CA.  If CA is configured,
     # always run ca.start() because we need to wait until CA is really ready
     # by checking status using http