Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-66599

Pagure #9689: vault-add fails in FIPS mode

XMLWordPrintable

    • ipa-4.12.2-7.el10
    • No
    • Important
    • 2
    • rhel-sst-idm-ipa
    • ssg_idm
    • 14
    • 16
    • 2
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • No
    • 2024-Q4-Alpha-S4, 2024-Q4-Alpha-S5
    • Unspecified Release Note Type - Unknown
    • None 

      Cloned from: https://pagure.io/freeipa/issue/9689

### Issue
The command ipa vault-add fails in FIPS mode on fedora 41+.

#### Steps to Reproduce
1. install a machine in fips mode: `fips-mode-setup --enable; reboot`
2. Install IPA server with KRA: `dnf install -y freeipa-server-dns; ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --forwarder 10.11.5.160 --setup-kra -a Secret123 -p Secret123 -U`
3. Try to create a vault: `echo Secret123 | kinit admin; ipa vault-add test --password Secret123 --type symmetric`

#### Actual behavior
The vault creation fails with
```
# ipa vault-add test --password Secret123 --type symmetric
ipa: ERROR: non-public: InternalError: Unknown OpenSSL error. This error is commonly encountered
                        when another library is not cleaning up the OpenSSL error
                        stack. If you are using cryptography with another library
                        that uses OpenSSL try disabling it before reporting a bug.
                        Otherwise please file an issue at
                        https://github.com/pyca/cryptography/issues with
                        information on how to reproduce this. ([<OpenSSLError(code=478150821, lib=57, reason=165, reason_text=illegal or unsupported padding mode)>])
Traceback (most recent call last):
  File "/usr/lib/python3.13/site-packages/ipalib/backend.py", line 141, in execute
    return self.Command[_name](*args, **options)
           ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 477, in __call__
    return self.__do_call(*args, **options)
           ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 544, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 1290, in run
    return self.forward(*args, **options)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 356, in forward
    self.api.Command.vault_archive(*args, **opts)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 477, in __call__
    return self.__do_call(*args, **options)
           ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 544, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 1290, in run
    return self.forward(*args, **options)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 967, in forward
    self.api.Command.vault_retrieve(*args, **opts)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 477, in __call__
    return self.__do_call(*args, **options)
           ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 544, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 1290, in run
    return self.forward(*args, **options)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 1162, in forward
    response = self.internal(algo, transport_cert, *args, **options)
  File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 759, in internal
    result = self._do_internal(algo, transport_cert, False,
                               False, *args, **options)
  File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 716, in _do_internal
    wrapped_session_key = public_key.encrypt(
        algo.key,
        padding.PKCS1v15()
    )
cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered
                        when another library is not cleaning up the OpenSSL error
                        stack. If you are using cryptography with another library
                        that uses OpenSSL try disabling it before reporting a bug.
                        Otherwise please file an issue at
                        https://github.com/pyca/cryptography/issues with
                        information on how to reproduce this. ([<OpenSSLError(code=478150821, lib=57, reason=165, reason_text=illegal or unsupported padding mode)>])
ipa: ERROR: an internal error has occurred
```

public_key is an RSAPublicKey

Packages:
```
# rpm -qa openssl python3-cryptography
openssl-3.2.2-9.fc41.x86_64
python3-cryptography-43.0.0-2.fc41.x86_64
```

The issue is seen in the test test_integration/test_hsm.py::TestHSMVault::test_hsm_vault_create_and_retrieve_master in FIPS mode

              frenaud@redhat.com Florence Renaud
              frenaud@redhat.com Florence Renaud
              Florence Renaud Florence Renaud
              Erik Belko Erik Belko
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: