Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-68621

pkcs11-provider doesn't work when FIPS mode is enabled

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • pkcs11-provider-1.0-1.el10
    • No
    • Low
    • 1
    • rhel-security-crypto
    • ssg_security
    • 28
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25Q1
    • Hide

      AC1) Upstream self-test passes in FIPS mode
      AC2) All downstream tests pass in FIPS mode.

      Show
      AC1) Upstream self-test passes in FIPS mode AC2) All downstream tests pass in FIPS mode.
    • Pass
    • Not Needed
    • Automated
    • Known Issue
    • Hide
      .Cryptographic tokens do not work in FIPS mode with `pkcs11-provider`

      When the system runs in FIPS mode, the `pkcs11-provider` OpenSSL provider does not work correctly and the OpenSSL TLS toolkit falls back to the default provider. Consequently, OpenSSL fails to load PKCS #11 keys, and cryptographic tokens do not work in this scenario.

      Workaround: Set the `pkcs11-module-assume-fips = true` parameter in the PKCS #11 section of the `openssl.cnf` file. See the `pkcs11-provider(7)` man page on your system for more information. With this configuration change, `pkcs11-provider` works in FIPS mode.
      Show
      .Cryptographic tokens do not work in FIPS mode with `pkcs11-provider` When the system runs in FIPS mode, the `pkcs11-provider` OpenSSL provider does not work correctly and the OpenSSL TLS toolkit falls back to the default provider. Consequently, OpenSSL fails to load PKCS #11 keys, and cryptographic tokens do not work in this scenario. Workaround: Set the `pkcs11-module-assume-fips = true` parameter in the PKCS #11 section of the `openssl.cnf` file. See the `pkcs11-provider(7)` man page on your system for more information. With this configuration change, `pkcs11-provider` works in FIPS mode.
    • Done
    • All
    • None

      What were you trying to do that didn't work?

      When we are running pcks11-provider and FIPS mode is enabled, the provider is loaded by OpenSSL but none of the functions are FIPS compatible so none of them is called or used. Trying to load a pkcs11 URI makes OpenSSL fall back to the default provider and try to open it as a file. This fails and the "Failed to open OpenSSL store: error:8000000D:system library::Permission denied" error message is printed.

      Upstream bugs: https://github.com/latchset/pkcs11-provider/issues/469 and https://github.com/latchset/pkcs11-provider/issues/164

      What is the impact of this issue to you?

      Moderate

      Please provide the package NVR for which the bug is seen:

      pkcs11-provider-0.5-7

      How reproducible is this bug?:

      Always

      Expected results

       The pcks11 keys (both RSA and ECDSA) should be able to be loaded by the pcks11-provider in FIPS mode.

      Actual results

       The pcks11 keys (both RSA and ECDSA) are not able to be loaded by the pcks11-provider in FIPS mode.

        1. testlog.txt
          859 kB

              rhn-engineering-ssorce Simo Sorce
              rh-ee-gpantela George Pantelakis
              Simo Sorce Simo Sorce
              Ondrej Moris Ondrej Moris
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: