From 3a25950d5b14aa9cafd8099f4730ea605b584245 Mon Sep 17 00:00:00 2001 From: Peter Chen Date: Thu, 21 Dec 2023 15:08:51 +0800 Subject: [PATCH] Fix pre-start.erb for Jammy FIPS stemcell (#174) - algorithm "PBE-SHA1-3DES" is not available on FIPS Jammy (OpenSSL 3.0.2 / Ubuntu 22.04.3 LTS), error: ``` Error creating PKCS12 structure for cert.p12 error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (PKCS12KDF : 0), Properties () error:1180006B:PKCS12 routines:PKCS12_PBE_keyivgen_ex:key gen error:../crypto/pkcs12/p12_crpt.c:55: error:11800067:PKCS12 routines:PKCS12_item_i2d_encrypt_ex:encrypt error:../crypto/pkcs12/p12_decr.c:191: error:11800067:PKCS12 routines:PKCS12_pack_p7encdata_ex:encrypt error:../crypto/pkcs12/p12_add.c:127: ``` - so use the "-nomac" option instead as recommended on https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html#NOTES - see a similar fix in uaa-release: https://github.com/cloudfoundry/uaa-release/commit/5a57378ca65998e62b9562626c960fd9c0487b52 [#186629315] --- jobs/credhub/templates/init_key_stores.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/jobs/credhub/templates/init_key_stores.erb b/jobs/credhub/templates/init_key_stores.erb index 9f4a5e0f..04237dfa 100644 --- a/jobs/credhub/templates/init_key_stores.erb +++ b/jobs/credhub/templates/init_key_stores.erb @@ -51,10 +51,10 @@ cat > ${PRIVATE_KEY_FILE} < EOL -# Use Fips 140-2 compatible encryption algorithm +# Use Fips-compatible option(s) if [ -f "/proc/sys/crypto/fips_enabled" ]; then - FIPS_OPTS="-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES" - echo "Using Fips 140-2 compatible encryption algorithm PBE-SHA1-3DES to package cert and key with pkcs12" + FIPS_OPTS="-nomac" + echo "Using Fips-compatible option(s) to package cert and key with pkcs12" else FIPS_OPTS="" fi