From 3e37730a758aa775bdd959992c591d4ef0264b99 Mon Sep 17 00:00:00 2001
From: Thomas Bechtold <thomas.bechtold@canonical.com>
Date: Mon, 19 Sep 2022 14:52:05 +0200
Subject: [PATCH] Fix openssl pkcs12 export in pre-start.erb when in FIPS mode

On a Ubuntu Bionic FIPS enabled stemcell, pre-start.erb fails.
In FIPS Mode, the PKCS#12 format must use compatible encryption and
hashing algorithms.

Fixes: #358
---
 jobs/uaa/templates/bin/pre-start.erb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/jobs/uaa/templates/bin/pre-start.erb b/jobs/uaa/templates/bin/pre-start.erb
index 64a5208759..af77cb074b 100755
--- a/jobs/uaa/templates/bin/pre-start.erb
+++ b/jobs/uaa/templates/bin/pre-start.erb
@@ -131,9 +131,13 @@ function process_certs {
 }
 
 function insert_ssl_cert {
+    local FIPS_OPTS=""
+    if [ -f "/proc/sys/crypto/fips_enabled" ] && [ "$(</proc/sys/crypto/fips_enabled)" = "1" ]; then
+        FIPS_OPTS="-certpbe PBE-SHA1-3DES"
+    fi
     log "Installing Server SSL certificate"
 
-    openssl pkcs12 -export -name uaa_ssl_cert \
+    openssl pkcs12 -export "${FIPS_OPTS}" -name uaa_ssl_cert \
         -in /var/vcap/jobs/uaa/config/uaa.crt \
         -out /var/vcap/data/uaa/uaa_keystore.p12 \
         -password pass:k0*l*s3cur1tyr0ck$