From e821c0b08db4ec8519bf7cfb57a1eef9fa89530c Mon Sep 17 00:00:00 2001
From: Thomas Bechtold <thomas.bechtold@canonical.com>
Date: Mon, 19 Sep 2022 14:52:05 +0200
Subject: [PATCH] Fix openssl pkcs12 export in pre-start.erb when in FIPS mode

On a Ubuntu Bionic FIPS enabled stemcell, pre-start.erb fails.
In FIPS Mode, the PKCS#12 format must use compatible encryption and
hashing algorithms.

Fixes: #358
---
 jobs/uaa/templates/bin/pre-start.erb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/jobs/uaa/templates/bin/pre-start.erb b/jobs/uaa/templates/bin/pre-start.erb
index 64a5208759..d09260d487 100755
--- a/jobs/uaa/templates/bin/pre-start.erb
+++ b/jobs/uaa/templates/bin/pre-start.erb
@@ -131,9 +131,16 @@ function process_certs {
 }
 
 function insert_ssl_cert {
+    local FIPS_OPTS=""
+    if [ -f "/proc/sys/crypto/fips_enabled" ]; then
+        local FIPS_ENABLED="$(cat /proc/sys/crypto/fips_enabled)"
+        if [ "${FIPS_ENABLED}" = 1 ]; then
+            FIPS_OPTS="-certpbe PBE-SHA1-3DES"
+        fi
+    fi
     log "Installing Server SSL certificate"
 
-    openssl pkcs12 -export -name uaa_ssl_cert \
+    openssl pkcs12 -export ${FIPS_OPTS} -name uaa_ssl_cert \
         -in /var/vcap/jobs/uaa/config/uaa.crt \
         -out /var/vcap/data/uaa/uaa_keystore.p12 \
         -password pass:k0*l*s3cur1tyr0ck$