#9191 ipa vault-add is failing with ipa in RHEL9: ERROR: an internal error has occurred in FIPS mode
Closed: fixed 5 months ago by ftrivino. Opened 2 years ago by ftrivino.

Description of problem:
'ipa vault-add is failing with ipa: ERROR: An internal error has occurred and
ValueError: Encryption/decryption failed in FIPS Mode.

Version-Release number of selected component (if applicable):

cat /etc/redhat-release

Red Hat Enterprise Linux release 9.1 Beta (Plow)

ipa-server-4.9.8-8.el9.x86_64
package pki-ca is not installed
389-ds-base-2.0.14-1.el9.x86_64
openssl-3.0.1-27.el9_0.x86_64
sssd-ipa-2.6.2-4.el9_0.x86_64
krb5-server-1.19.1-18.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Setup IPA on FIPS enabled machine
2. Add ipa vault

Actual results:
[root@master ~]# ipa vault-add fipsvault --type=standard
ipa: ERROR: non-public: ValueError: Encryption/decryption failed.
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipalib/backend.py", line 141, in execute
return self.Command_name
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in call
return self.do_call(args, options)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call
ret = self.run(*args,
options)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 1229, in run
return self.forward(
args, options)
File "/usr/lib/python3.9/site-packages/ipaclient/plugins/vault.py", line 356, in forward
self.api.Command.vault_archive(*args,
opts)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in __call

return self.__do_call(args, options)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call
ret = self.run(*args,
options)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 1229, in run
return self.forward(
args, options)
File "/usr/lib/python3.9/site-packages/ipaclient/plugins/vault.py", line 990, in forward
return self.internal(algo, transport_cert, *args,
options)
File "/usr/lib/python3.9/site-packages/ipaclient/plugins/vault.py", line 735, in internal
result = self._do_internal(algo, transport_cert, False,
File "/usr/lib/python3.9/site-packages/ipaclient/plugins/vault.py", line 712, in _do_internal
wrapped_session_key = public_key.encrypt(
File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 537, in encrypt
return _enc_dec_rsa(self._backend, self, plaintext, padding)
File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 87, in _enc_dec_rsa
return _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding)
File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 151, in _enc_dec_rsa_pkey_ctx
raise ValueError("Encryption/decryption failed.")
ValueError: Encryption/decryption failed.
ipa: ERROR: an internal error has occurred


Support for PKCS#1 v1.5 padding has been recently removed as it will not be allowed in FIPS mode after 2023. None of the FIPS certified modules in RHEL will support it as a FIPS approved mechanism.

vault must be migrated to RSA-OAEP or RSASVE.

Metadata Update from @ftrivino:
- Issue assigned to ftrivino

2 years ago

Metadata Update from @ftrivino:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6959
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2089907

a year ago
a year ago

master:

  • 2d0a088 Vault: add support for RSA-OAEP wrapping algo
  • 4cc6b9c Vault: improve vault server archival/retrieval calls error handling
  • 305fcc2 kra: set RSA-OAEP as default wrapping algo when FIPS is enabled

ipa-4-11:

  • b1390d1 Vault: add support for RSA-OAEP wrapping algo
  • c6f79e0 Vault: improve vault server archival/retrieval calls error handling
  • 601de69 kra: set RSA-OAEP as default wrapping algo when FIPS is enabled

ipa-4-10:

  • bd71a17 Vault: add support for RSA-OAEP wrapping algo
  • 10643d4 Vault: improve vault server archival/retrieval calls error handling
  • 327b038 kra: set RSA-OAEP as default wrapping algo when FIPS is enabled

ipa-4-9:

  • b1fb31f Vault: add support for RSA-OAEP wrapping algo
  • dc1ab53 Vault: improve vault server archival/retrieval calls error handling
  • f2eec9e kra: set RSA-OAEP as default wrapping algo when FIPS is enabled

master:

  • c3d228d Vault: add additional fallback to RSA-OAEP wrapping algo

ipa-4-11:

  • ca561f7 Vault: add additional fallback to RSA-OAEP wrapping algo

ipa-4-10:

  • 35507aa Vault: add additional fallback to RSA-OAEP wrapping algo

ipa-4-9:

  • d7c1ba0 Vault: add additional fallback to RSA-OAEP wrapping algo

master:

  • cba3094 Support the certmonger nss-user option
  • e6078c6 Don't generate a cafile on HSM instalations
  • 34f28f0 Add token support to installer certificate handling
  • 73d52a6 Only generate kracert.p12 when not installing with HSM
  • e323470 Don't move KRA keys when key backup is disabled
  • f658a26 doc: Add token-password-file to HSM design, set new OID
  • d9efa72 Add LDAP attribute ipaCaHSMConfiguration to store HSM state
  • 82c0b19 Add HSM configuration options to installer scripts
  • a99091a Add attribute ipacahsmconfiguration to the "Read CAs" ACI
  • 7ad3b48 Update SELinux policy to allow certmonger to PKI config files
  • 9362200 Add token support to the renew_ca_cert certmonger helper
  • d0c489e If HSM is configured add the token name to config-show output
  • 0708f60 renew_ca_cert: skip removing non-CA certs, fix nickname
  • b89aa91 renew_ca_cert: set peer trust on the KRA audit certificate
  • 06a8791 tests: helper to copy files from one host to another
  • 36dbc6b ipatests: test software HSM installation with server & replica
  • 6b894f2 After installing a KRA, copy the updated token to other machines
  • 31d66ba Validate the HSM token library path and name during installation
  • c6dd21f Remove caSigningCert from list of certs to renew
  • 87ecca0 Add SELinux subpackage for nCipher nfast HSM support
  • f8798b3 Add SELinux subpackage for Thales Luna HSM support
  • 1ec875c ipatests: test software HSM installation with server & replica
  • b63103c tests: Fix failing test test_testconfig.py with missing token variables
  • c6f2d02 dogtag-ipa-ca-renew-agent-submit: expect certs to be on HSMs
  • 31fda79 Prompt for token password if not provided in replica/ipa-ca-install
  • b9ec2fb KRA: force OAEP for some HSM-based installations
  • ea0bf40 After an HSM replica install ensure all certs are visible
  • bcd8d2d Require certmonger 0.79.17+ for required HSM changes
  • 879a937 Include the HSM tests in the nightlies
  • 6b6c187 Call hsm_validator on KRA installs and validate the HSM password
  • c861ce5 Add SELinux module checking to hsm_validator
  • 6af8577 docs: Add a section on SELinux modules to the HSM design

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

8 months ago

Metadata Update from @rcritten:
- Custom field affects_doc adjusted to on
- Custom field knownissue adjusted to on
- Issue status updated to: Open (was: Closed)

8 months ago

Metadata Update from @ftrivino:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Log in to comment on this ticket.

Metadata