From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 14 Apr 2021 15:34:48 -0400
Subject: [PATCH] Fix local CA to work under FIPS

The PKCS12 file used for the local CA fails to be created because
it uses default OpenSSL encryption algorithms that are disallowed
under FIPS.  This patch simply updates the PKCS12_create() command
to use allowed encryption algorithms.
---
 src/local.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/local.c b/src/local.c
index 92bea144..2f50ac77 100644
--- a/src/local.c
+++ b/src/local.c
@@ -39,6 +39,7 @@
 
 #include <openssl/asn1.h>
 #include <openssl/err.h>
+#include <openssl/obj_mac.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
 #include <openssl/rand.h>
@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots,
 			return CM_SUBMIT_STATUS_UNREACHABLE;
 		}
 		p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert,
-				    cas, 0, 0, 0, 0, 0);
+				    cas, NID_aes_128_cbc, NID_aes_128_cbc,
+				    0, 0, 0);
 		if (p12 != NULL) {
 			if (!i2d_PKCS12_fp(fp, p12)) {
 				fclose(fp);
-- 
2.26.3