Description of problem: 'ipa vault-add is failing with ipa: ERROR: An internal error has occurred and ValueError: Encryption/decryption failed in FIPS Mode.
Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux release 9.1 Beta (Plow)
ipa-server-4.9.8-8.el9.x86_64 package pki-ca is not installed 389-ds-base-2.0.14-1.el9.x86_64 openssl-3.0.1-27.el9_0.x86_64 sssd-ipa-2.6.2-4.el9_0.x86_64 krb5-server-1.19.1-18.el9.x86_64
How reproducible: 100%
Steps to Reproduce: 1. Setup IPA on FIPS enabled machine 2. Add ipa vault
Actual results: [root@master ~]# ipa vault-add fipsvault --type=standard ipa: ERROR: non-public: ValueError: Encryption/decryption failed. Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/ipalib/backend.py", line 141, in execute return self.Command_name File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in call return self.do_call(args, options) File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call ret = self.run(*args, options) File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 1229, in run return self.forward(args, options) File "/usr/lib/python3.9/site-packages/ipaclient/plugins/vault.py", line 356, in forward self.api.Command.vault_archive(*args, opts) File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in __call return self.__do_call(args, options) File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call ret = self.run(*args, options) File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 1229, in run return self.forward(args, options) File "/usr/lib/python3.9/site-packages/ipaclient/plugins/vault.py", line 990, in forward return self.internal(algo, transport_cert, *args, options) File "/usr/lib/python3.9/site-packages/ipaclient/plugins/vault.py", line 735, in internal result = self._do_internal(algo, transport_cert, False, File "/usr/lib/python3.9/site-packages/ipaclient/plugins/vault.py", line 712, in _do_internal wrapped_session_key = public_key.encrypt( File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 537, in encrypt return _enc_dec_rsa(self._backend, self, plaintext, padding) File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 87, in _enc_dec_rsa return _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding) File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 151, in _enc_dec_rsa_pkey_ctx raise ValueError("Encryption/decryption failed.") ValueError: Encryption/decryption failed. ipa: ERROR: an internal error has occurred
Support for PKCS#1 v1.5 padding has been recently removed as it will not be allowed in FIPS mode after 2023. None of the FIPS certified modules in RHEL will support it as a FIPS approved mechanism.
vault must be migrated to RSA-OAEP or RSASVE.
Metadata Update from @ftrivino: - Issue assigned to ftrivino
Metadata Update from @ftrivino: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6959 - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2089907
Metadata Update from @ftrivino: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-12153 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2089907)
master:
ipa-4-11:
ipa-4-10:
ipa-4-9:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-12153, https://issues.redhat.com/browse/RHEL-12143 (was: https://issues.redhat.com/browse/RHEL-12153)
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @rcritten: - Custom field affects_doc adjusted to on - Custom field knownissue adjusted to on - Issue status updated to: Open (was: Closed)
Metadata Update from @ftrivino: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.