freeipa

#9191 ipa vault-add is failing with ipa in RHEL9: ERROR: an internal error has occurred in FIPS mode

Opened 2 years ago by ftrivino. Modified a month ago

Description of problem:
'ipa vault-add is failing with ipa: ERROR: An internal error has occurred and
ValueError: Encryption/decryption failed in FIPS Mode.

Version-Release number of selected component (if applicable):

cat /etc/redhat-release

Red Hat Enterprise Linux release 9.1 Beta (Plow)

ipa-server-4.9.8-8.el9.x86_64
package pki-ca is not installed
389-ds-base-2.0.14-1.el9.x86_64
openssl-3.0.1-27.el9_0.x86_64
sssd-ipa-2.6.2-4.el9_0.x86_64
krb5-server-1.19.1-18.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Setup IPA on FIPS enabled machine
2. Add ipa vault

Actual results:
[root@master ~]# ipa vault-add fipsvault --type=standard
ipa: ERROR: non-public: ValueError: Encryption/decryption failed.
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipalib/backend.py", line 141, in execute
return self.Command_name
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in call
return self.do_call(args, options)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call
ret = self.run(*args, options)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 1229, in run
return self.forward(args, options)
File "/usr/lib/python3.9/site-packages/ipaclient/plugins/vault.py", line 356, in forward
self.api.Command.vault_archive(*args, opts)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in __call
return self.__do_call(args, options)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call
ret = self.run(*args, options)
File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 1229, in run
return self.forward(args, options)
File "/usr/lib/python3.9/site-packages/ipaclient/plugins/vault.py", line 990, in forward
return self.internal(algo, transport_cert, *args, options)
File "/usr/lib/python3.9/site-packages/ipaclient/plugins/vault.py", line 735, in internal
result = self._do_internal(algo, transport_cert, False,
File "/usr/lib/python3.9/site-packages/ipaclient/plugins/vault.py", line 712, in _do_internal
wrapped_session_key = public_key.encrypt(
File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 537, in encrypt
return _enc_dec_rsa(self._backend, self, plaintext, padding)
File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 87, in _enc_dec_rsa
return _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding)
File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 151, in _enc_dec_rsa_pkey_ctx
raise ValueError("Encryption/decryption failed.")
ValueError: Encryption/decryption failed.
ipa: ERROR: an internal error has occurred

ftrivino commented 2 years ago

Support for PKCS#1 v1.5 padding has been recently removed as it will not be allowed in FIPS mode after 2023. None of the FIPS certified modules in RHEL will support it as a FIPS approved mechanism.

vault must be migrated to RSA-OAEP or RSASVE.

Edited 2 years ago by ftrivino

Metadata Update from @ftrivino:
- Issue assigned to ftrivino

2 years ago

Metadata Update from @ftrivino:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6959
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2089907

8 months ago

Metadata Update from @ftrivino:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-12153 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2089907)

3 months ago