Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-66599

Pagure #9689: vault-add fails in FIPS mode

    • ipa-4.12.2-7.el10
    • No
    • Important
    • 2
    • rhel-sst-idm-ipa
    • ssg_idm
    • 14
    • 16
    • 2
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • No
    • 2024-Q4-Alpha-S4, 2024-Q4-Alpha-S5
    • Unspecified Release Note Type - Unknown
    • None

      Cloned from: https://pagure.io/freeipa/issue/9689
      
      ### Issue
      The command ipa vault-add fails in FIPS mode on fedora 41+.
      
      #### Steps to Reproduce
      1. install a machine in fips mode: `fips-mode-setup --enable; reboot`
      2. Install IPA server with KRA: `dnf install -y freeipa-server-dns; ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --forwarder 10.11.5.160 --setup-kra -a Secret123 -p Secret123 -U`
      3. Try to create a vault: `echo Secret123 | kinit admin; ipa vault-add test --password Secret123 --type symmetric`
      
      #### Actual behavior
      The vault creation fails with
      ```
      # ipa vault-add test --password Secret123 --type symmetric
      ipa: ERROR: non-public: InternalError: Unknown OpenSSL error. This error is commonly encountered
                              when another library is not cleaning up the OpenSSL error
                              stack. If you are using cryptography with another library
                              that uses OpenSSL try disabling it before reporting a bug.
                              Otherwise please file an issue at
                              https://github.com/pyca/cryptography/issues with
                              information on how to reproduce this. ([<OpenSSLError(code=478150821, lib=57, reason=165, reason_text=illegal or unsupported padding mode)>])
      Traceback (most recent call last):
        File "/usr/lib/python3.13/site-packages/ipalib/backend.py", line 141, in execute
          return self.Command[_name](*args, **options)
                 ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
        File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 477, in __call__
          return self.__do_call(*args, **options)
                 ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
        File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 544, in __do_call
          ret = self.run(*args, **options)
        File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 1290, in run
          return self.forward(*args, **options)
                 ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
        File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 356, in forward
          self.api.Command.vault_archive(*args, **opts)
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
        File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 477, in __call__
          return self.__do_call(*args, **options)
                 ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
        File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 544, in __do_call
          ret = self.run(*args, **options)
        File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 1290, in run
          return self.forward(*args, **options)
                 ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
        File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 967, in forward
          self.api.Command.vault_retrieve(*args, **opts)
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
        File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 477, in __call__
          return self.__do_call(*args, **options)
                 ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
        File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 544, in __do_call
          ret = self.run(*args, **options)
        File "/usr/lib/python3.13/site-packages/ipalib/frontend.py", line 1290, in run
          return self.forward(*args, **options)
                 ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
        File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 1162, in forward
          response = self.internal(algo, transport_cert, *args, **options)
        File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 759, in internal
          result = self._do_internal(algo, transport_cert, False,
                                     False, *args, **options)
        File "/usr/lib/python3.13/site-packages/ipaclient/plugins/vault.py", line 716, in _do_internal
          wrapped_session_key = public_key.encrypt(
              algo.key,
              padding.PKCS1v15()
          )
      cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered
                              when another library is not cleaning up the OpenSSL error
                              stack. If you are using cryptography with another library
                              that uses OpenSSL try disabling it before reporting a bug.
                              Otherwise please file an issue at
                              https://github.com/pyca/cryptography/issues with
                              information on how to reproduce this. ([<OpenSSLError(code=478150821, lib=57, reason=165, reason_text=illegal or unsupported padding mode)>])
      ipa: ERROR: an internal error has occurred
      ```
      
      public_key is an RSAPublicKey
      
      Packages:
      ```
      # rpm -qa openssl python3-cryptography
      openssl-3.2.2-9.fc41.x86_64
      python3-cryptography-43.0.0-2.fc41.x86_64
      ```
      
      The issue is seen in the test test_integration/test_hsm.py::TestHSMVault::test_hsm_vault_create_and_retrieve_master in FIPS mode
      

              frenaud@redhat.com Florence Renaud
              frenaud@redhat.com Florence Renaud
              Florence Renaud Florence Renaud
              Erik Belko Erik Belko
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: