From 42381ebd036feee63fab2bbf8579b7a385624bf7 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Dec 19 2022 17:08:02 +0000 Subject: cert utilities: MAC verification is incompatible with FIPS mode The PKCS12 MAC requires PKCS12KDF which is not an approved FIPS algorithm and cannot be supported by the FIPS provider. Do not require mac verification in FIPS mode: append the option --nomacver to the command openssl pkcs12 used to extract a pem file or a key from a p12 file. Signed-off-by: Florence Blanc-Renaud Reviewed-By: Alexander Bokovoy --- diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index f01295d..e58517d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -48,6 +48,7 @@ from ipalib.install import certstore from ipalib.util import strip_csr_header from ipalib.text import _ from ipaplatform.paths import paths +from ipaplatform.tasks import tasks logger = logging.getLogger(__name__) @@ -69,9 +70,16 @@ def get_cert_nickname(cert): def install_pem_from_p12(p12_fname, p12_passwd, pem_fname): pwd = ipautil.write_tmp_file(p12_passwd) - ipautil.run([paths.OPENSSL, "pkcs12", "-nokeys", "-clcerts", - "-in", p12_fname, "-out", pem_fname, - "-passin", "file:" + pwd.name]) + args = [paths.OPENSSL, "pkcs12", "-nokeys", "-clcerts", + "-in", p12_fname, "-out", pem_fname, + "-passin", "file:" + pwd.name] + # the PKCS12 MAC requires PKCS12KDF which is not an approved FIPS + # algorithm and cannot be supported by the FIPS provider. + # Do not require mac verification in FIPS mode + fips_enabled = tasks.is_fips_enabled() + if fips_enabled: + args.append('-nomacver') + ipautil.run(args) def install_key_from_p12( @@ -85,6 +93,12 @@ def install_key_from_p12( args.extend(['-passout', 'file:{}'.format(out_passwd_fname)]) else: args.append('-nodes') + # the PKCS12 MAC requires PKCS12KDF which is not an approved FIPS + # algorithm and cannot be supported by the FIPS provider. + # Do not require mac verification in FIPS mode + fips_enabled = tasks.is_fips_enabled() + if fips_enabled: + args.append('-nomacver') ipautil.run(args, umask=0o077)