Fix pre-start.erb for Jammy FIPS stemcell (#174)

- algorithm "PBE-SHA1-3DES" is not available on FIPS Jammy (OpenSSL 3.0.2 / Ubuntu 22.04.3 LTS), error: ``` Error creating PKCS12 structure for cert.p12 error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (PKCS12KDF : 0), Properties (<null>) error:1180006B:PKCS12 routines:PKCS12_PBE_keyivgen_ex:key gen error:../crypto/pkcs12/p12_crpt.c:55: error:11800067:PKCS12 routines:PKCS12_item_i2d_encrypt_ex:encrypt error:../crypto/pkcs12/p12_decr.c:191: error:11800067:PKCS12 routines:PKCS12_pack_p7encdata_ex:encrypt error:../crypto/pkcs12/p12_add.c:127: ``` - so use the "-nomac" option instead as recommended on https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html#NOTES - see a similar fix in uaa-release: cloudfoundry/uaa-release@5a57378 [#186629315]
pivotal · Dec 22, 2023 · 3a25950 · 3a25950
1 parent 15759b2
commit 3a25950
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/jobs/credhub/templates/init_key_stores.erb b/jobs/credhub/templates/init_key_stores.erb
@@ -51,10 +51,10 @@ cat > ${PRIVATE_KEY_FILE} <<EOL
 <%= p('credhub.tls.private_key') %>
 EOL
 
-# Use Fips 140-2 compatible encryption algorithm
+# Use Fips-compatible option(s)
 if [ -f "/proc/sys/crypto/fips_enabled" ]; then
-  FIPS_OPTS="-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES"
-  echo "Using Fips 140-2 compatible encryption algorithm PBE-SHA1-3DES to package cert and key with pkcs12"
+  FIPS_OPTS="-nomac"
+  echo "Using Fips-compatible option(s) to package cert and key with pkcs12"
 else
   FIPS_OPTS=""
 fi