Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-85985

sq: unable to generate key in FIPS

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.2
    • rhel-10.0, rhel-10.0.z
    • rust-sequoia-sq
    • No
    • Low
    • 3
    • rhel-security-crypto-spades
    • ssg_security
    • 12
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25August, Crypto25September, Crypto25November
    • Hide

      Basic crypto operations work in FIPS mode by default:

      1. generate
      2. encrypt without signature
      3. encrypt with signature
      4. decrypt without verification
      5. decrypt with verification
      6. sign
      7. verify
      Show
      Basic crypto operations work in FIPS mode by default: generate encrypt without signature encrypt with signature decrypt without verification decrypt with verification sign verify
    • Pass
    • None
    • Known Issue
    • Hide
      Cause: The use of deprecated OpenSSL API prevents using sq in FIPS mode.
      Consequence: The Sequoia OpenPGP can not generate keys in FIPS mode in default configuration.
      Workaround: N/A
      Result:
      Show
      Cause: The use of deprecated OpenSSL API prevents using sq in FIPS mode. Consequence: The Sequoia OpenPGP can not generate keys in FIPS mode in default configuration. Workaround: N/A Result:
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      sq is not able to generate keys in FIPS mode:

      # sq key generate --new-password-file /etc/passwd --userid fipsuser --own-key
thread 'main' panicked at /builddir/build/BUILD/sequoia-sq-1.3.0/vendor/sequoia-openpgp/src/crypto/mem.rs:408:41:
called `Result::unwrap()` on an `Err` value: Custom { kind: Other, error: error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (AES-256-OCB : 0), Properties () }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

# RUST_BACKTRACE=1 sq key generate --new-password-file /etc/passwd --userid fipsuser --own-key
Killed

      Package versions:
      sequoia-sq-1.3.0-2.el10_0
      openssl-libs-3.2.2-16.el10

              jjelen@redhat.com Jakub Jelen
              szidek@redhat.com Stanislav Zidek
              Jakub Jelen Jakub Jelen
              Stanislav Zidek Stanislav Zidek
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: