Cloned from: https://pagure.io/freeipa/issue/9689
### Issue
The command ipa vault-add fails in FIPS mode on fedora 41+.
#### Steps to Reproduce
1. install a machine in fips mode: `fips-mode-setup --enable; reboot`
2. Install IPA server with KRA: `dnf install -y freeipa-server-dns; ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --forwarder 10.11.5.160 --setup-kra -a Secret123 -p Secret123 -U`
3. Try to create a vault: `echo Secret123 | kinit admin; ipa vault-add test --password Secret123 --type symmetric`
#### Actual behavior
The vault creation fails with
```
# ipa vault-add test --password Secret123 --type symmetric
ipa: ERROR: non-public: InternalError: Unknown OpenSSL error. This error is commonly encountered
when another library is not cleaning up the OpenSSL error
stack. If you are using cryptography with another library
that uses OpenSSL try disabling it before reporting a bug.
Otherwise please file an issue at
https://github.com/pyca/cryptography/issues with
information on how to reproduce this. ([<OpenSSLError(code=478150821, lib=57, reason=165, reason_text=illegal or unsupported padding mode)>])
Traceback (most recent call last):
File "/usr/lib/python3.13/site-packages/ipalib/backend.py", line 141, in execute
return self.Command[_name](*args, **options)
~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 477, in __call__
return self.__do_call(*args, **options)
~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 544, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 1290, in run
return self.forward(*args, **options)
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 356, in forward
self.api.Command.vault_archive(*args, **opts)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 477, in __call__
return self.__do_call(*args, **options)
~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 544, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 1290, in run
return self.forward(*args, **options)
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 967, in forward
self.api.Command.vault_retrieve(*args, **opts)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 477, in __call__
return self.__do_call(*args, **options)
~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 544, in __do_call
ret = self.run(*args, **options)
File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 1290, in run
return self.forward(*args, **options)
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 1162, in forward
response = self.internal(algo, transport_cert, *args, **options)
File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 759, in internal
result = self._do_internal(algo, transport_cert, False,
False, *args, **options)
File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 716, in _do_internal
wrapped_session_key = public_key.encrypt(
algo.key,
padding.PKCS1v15()
)
cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered
when another library is not cleaning up the OpenSSL error
stack. If you are using cryptography with another library
that uses OpenSSL try disabling it before reporting a bug.
Otherwise please file an issue at
https://github.com/pyca/cryptography/issues with
information on how to reproduce this. ([<OpenSSLError(code=478150821, lib=57, reason=165, reason_text=illegal or unsupported padding mode)>])
ipa: ERROR: an internal error has occurred
```
public_key is an RSAPublicKey
Packages:
```
# rpm -qa openssl python3-cryptography
openssl-3.2.2-9.fc41.x86_64
python3-cryptography-43.0.0-2.fc41.x86_64
```
The issue is seen in the test test_integration/test_hsm.py::TestHSMVault::test_hsm_vault_create_and_retrieve_master in FIPS mode