-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-10.0.beta
-
None
-
Yes
-
None
-
rhel-sst-security-special-projects
-
ssg_security
-
None
-
False
-
-
None
-
None
-
None
-
None
-
None
When running a basic attestation scenario in FIPS an agent doesn't pass the attestation as there is a failure during the attestation.
I am reporting this against keylime, although it is possible that the fix should target the agent (or both).
Please provide the package NVR for which bug is seen:
openssl-3.2.2-7.el10.x86_64
keylime-7.9.0-2.el10.noarch
keylime-agent-rust-0.2.5-3.el10.x86_64
How reproducible:
always
Steps to reproduce
- enable FIPS on a test system
- run basic keylime attestation scenario, i.e. almost any test
Expected results
everything works
Actual results
Agent won't pass validation
keylime_tenant command shows the following traceback:
2024-07-29 12:02:44.521 - keylime.tenant - INFO - Quote from Agent d432fbb3-d2f1-4a97-9ef7-75bd81c00000 (127.0.0.1:9002) validated
2024-07-29 12:02:44.522 - keylime.tenant - ERROR - This combination of padding and hash algorithm is not supported by this backend.
Traceback (most recent call last):
File "/usr/lib/python3.12/site-packages/keylime/cmd/tenant.py", line 10, in main
tenant.main()
File "/usr/lib/python3.12/site-packages/keylime/tenant.py", line 1696, in main
mytenant.do_quote()
File "/usr/lib/python3.12/site-packages/keylime/tenant.py", line 1148, in do_quote
encrypted_U = crypto.rsa_encrypt(crypto.rsa_import_pubkey(public_key), self.U)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/keylime/crypto.py", line 125, in rsa_encrypt
return key.encrypt(
^^^^^^^^^^^^
File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 550, in encrypt
return _enc_dec_rsa(self._backend, self, plaintext, padding)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.12/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 85, in _enc_dec_rsa
raise UnsupportedAlgorithm(
cryptography.exceptions.UnsupportedAlgorithm: This combination of padding and hash algorithm is not supported by this backend.