From 8f35c1c705a7584cdcc9ad5c6fb15ba940ec3f4a Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 23 Nov 2017 18:06:56 +0100 Subject: [PATCH] Fix ca less IPA install on fips mode When ipa-server-install is run in fips mode and ca-less, the installer fails when the keys are provided with --{http|dirsrv|pkinit}-cert-file in a separate key file. The installer transforms the key into PKCS#8 format using openssl pkcs8 -topk8 but this command fails on a fips-enabled server, unless the options -v2 aes256 -v2prf hmacWithSHA256 are also provided. Fixes: https://pagure.io/freeipa/issue/7280 Reviewed-By: Christian Heimes Reviewed-By: Christian Heimes --- ipapython/certdb.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 114c58340253141706afa461ecaf87797562ca1d..f198811e0fd02c8925f0dcfa8764535b35ed29ed 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -499,9 +499,13 @@ class NSSDatabase(object): "Can't load private key from both %s and %s" % (key_file, filename)) + # the args -v2 aes256 -v2prf hmacWithSHA256 are needed + # on OpenSSL 1.0.2 (fips mode). As soon as FreeIPA + # requires OpenSSL 1.1.0 we'll be able to drop them args = [ OPENSSL, 'pkcs8', '-topk8', + '-v2', 'aes256', '-v2prf', 'hmacWithSHA256', '-passout', 'file:' + self.pwd_file, ] if ((label != 'PRIVATE KEY' and key_password) or -- 2.13.6