|
 |
2c4167 |
From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001
|
|
|
2c4167 |
From: Ade Lee <alee@redhat.com>
|
|
|
2c4167 |
Date: Wed, 14 Apr 2021 15:34:48 -0400
|
|
|
2c4167 |
Subject: [PATCH] Fix local CA to work under FIPS
|
|
|
2c4167 |
|
|
|
2c4167 |
The PKCS12 file used for the local CA fails to be created because
|
|
|
2c4167 |
it uses default OpenSSL encryption algorithms that are disallowed
|
|
|
2c4167 |
under FIPS. This patch simply updates the PKCS12_create() command
|
|
|
2c4167 |
to use allowed encryption algorithms.
|
|
|
2c4167 |
---
|
|
|
2c4167 |
src/local.c | 4 +++-
|
|
|
2c4167 |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
2c4167 |
|
|
|
2c4167 |
diff --git a/src/local.c b/src/local.c
|
|
|
2c4167 |
index 92bea144..2f50ac77 100644
|
|
|
2c4167 |
--- a/src/local.c
|
|
|
2c4167 |
+++ b/src/local.c
|
|
|
2c4167 |
@@ -39,6 +39,7 @@
|
|
|
2c4167 |
|
|
|
2c4167 |
#include <openssl/asn1.h>
|
|
|
2c4167 |
#include <openssl/err.h>
|
|
|
2c4167 |
+#include <openssl/obj_mac.h>
|
|
|
2c4167 |
#include <openssl/pem.h>
|
|
|
2c4167 |
#include <openssl/pkcs12.h>
|
|
|
2c4167 |
#include <openssl/rand.h>
|
|
|
2c4167 |
@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots,
|
|
|
2c4167 |
return CM_SUBMIT_STATUS_UNREACHABLE;
|
|
|
2c4167 |
}
|
|
|
2c4167 |
p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert,
|
|
|
2c4167 |
- cas, 0, 0, 0, 0, 0);
|
|
|
2c4167 |
+ cas, NID_aes_128_cbc, NID_aes_128_cbc,
|
|
|
2c4167 |
+ 0, 0, 0);
|
|
|
2c4167 |
if (p12 != NULL) {
|
|
|
2c4167 |
if (!i2d_PKCS12_fp(fp, p12)) {
|
|
|
2c4167 |
fclose(fp);
|
|
|
2c4167 |
--
|
|
|
2c4167 |
2.26.3
|
|
|
2c4167 |
|