Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-50925

keylime doesn't work when FIPS is enabled

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.0.beta
    • keylime
    • None
    • Yes
    • None
    • rhel-sst-security-special-projects
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      When running a basic attestation scenario in FIPS an agent doesn't pass the attestation as there is a failure during the attestation.

      I am reporting this against keylime, although it is possible that the fix should target the agent (or both).

      Please provide the package NVR for which bug is seen:

      openssl-3.2.2-7.el10.x86_64

      keylime-7.9.0-2.el10.noarch

      keylime-agent-rust-0.2.5-3.el10.x86_64

      How reproducible:

      always

      Steps to reproduce

      1. enable FIPS on a test system
      2. run basic keylime attestation scenario, i.e. almost any test

      Expected results

      everything works

      Actual results

      Agent won't pass validation

       

      keylime_tenant command shows the following traceback:

      2024-07-29 12:02:44.521 - keylime.tenant - INFO - Quote from Agent d432fbb3-d2f1-4a97-9ef7-75bd81c00000 (127.0.0.1:9002) validated
      2024-07-29 12:02:44.522 - keylime.tenant - ERROR - This combination of padding and hash algorithm is not supported by this backend.
      Traceback (most recent call last):
        File "/usr/lib/python3.12/site-packages/keylime/cmd/tenant.py", line 10, in main
          tenant.main()
        File "/usr/lib/python3.12/site-packages/keylime/tenant.py", line 1696, in main
          mytenant.do_quote()
        File "/usr/lib/python3.12/site-packages/keylime/tenant.py", line 1148, in do_quote
          encrypted_U = crypto.rsa_encrypt(crypto.rsa_import_pubkey(public_key), self.U)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        File "/usr/lib/python3.12/site-packages/keylime/crypto.py", line 125, in rsa_encrypt
          return key.encrypt(
                 ^^^^^^^^^^^^
        File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in encrypt
          return _enc_dec_rsa(self._backend, self, plaintext, padding)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 85, in _enc_dec_rsa
          raise UnsupportedAlgorithm(
      cryptography.exceptions.UnsupportedAlgorithm: This combination of padding and hash algorithm is not supported by this backend.

              ansasaki@redhat.com Anderson Sasaki
              ksrot@redhat.com Karel Srot
              Sergio Correia Sergio Correia
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: