pre-start script of uaa-release fails on FIPS stemcell

[jochenehret]

We have started to evaluate cf-deployment on a FIPS compliant stemcell. See parent issue cloudfoundry/cf-deployment#1140 for more details.

On stemcell bosh-aws-xen-hvm-ubuntu-jammy-fips-go_agent, version 1.318 the pre-start script of uaa-release 76.26.0 fails because the specified PBE algorithm is not supported:

[2023-12-05T11:50:11.814726078Z] uaa-pre-start - Installing Server SSL certificate
+ openssl pkcs12 -export -certpbe PBE-SHA1-3DES -name uaa_ssl_cert -in /var/vcap/jobs/uaa/config/uaa.crt -out /var/vcap/data/uaa/uaa_keystore.p12 -password 'pass:<redacted>'
Error creating PKCS12 structure for /var/vcap/data/uaa/uaa_keystore.p12
40E7DC09B17F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (PKCS12KDF : 0), Properties (<null>)
40E7DC09B17F0000:error:1180006B:PKCS12 routines:PKCS12_PBE_keyivgen_ex:key gen error:../crypto/pkcs12/p12_crpt.c:55:
40E7DC09B17F0000:error:11800067:PKCS12 routines:PKCS12_item_i2d_encrypt_ex:encrypt error:../crypto/pkcs12/p12_decr.c:191:
40E7DC09B17F0000:error:11800067:PKCS12 routines:PKCS12_pack_p7encdata_ex:encrypt error:../crypto/pkcs12/p12_add.c:127:

uaa-release/jobs/uaa/templates/bin/pre-start.erb

Line 138 in c6099be

FIPS_OPTS="-certpbe PBE-SHA1-3DES"

Can you replace PBE-SHA1-3DES with an algorithm that is supported on the stemcell?

Thanks and Best Regards,

Jochen.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/186619337

The labels on this github issue will be updated when the story is started.

[strehle]

hi @jochenehret

I remember that there was a fix in past, see
https://github.com/cloudfoundry/uaa-release/pull/407/files

So the existence /proc/sys/crypto/fips_enabled is not given with your fips vm ?

[jochenehret]

FIPS_ENABLED=1 on our stemcell (otherwise, FIPS_OPTS would be empty). But the given algorithm PBE-SHA1-3DES is not accepted (perhaps it was on earlier FIPS stemcells, I don't know).

[strehle]

ok, sorry, maybe too short in answer.

I wanted answer. There was a issue and PR in the past which. There was a long discussion about howto fix this
the pr is linked already, later there was #408 for additional log.

Now you say, that the algorithm is no accepted anymore?

What parameters would you expect to have ? I dont have a FIPS vm to test this

[jochenehret]

Yes, it seems that PBE-SHA1-3DES is not supported by default on Jammy (perhaps it was on Bionic). Here again all relevant versions:

• bosh-aws-xen-hvm-ubuntu-jammy-fips-go_agent 1.318
• fips_version 5.15.0-73-fips
• OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
• Ubuntu 22.04.3 LTS

This issue could be related: openssl/openssl#17985

[jochenehret]

Possible solution: Use the -nomac option as explained on https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html#NOTES

[strehle]

Possible solution: Use the -nomac option as explained on https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html#NOTES

yes, seems to be pragmatic, because we have no old VMs anymore and we dont need to protect the p12 file we need it only for the Tomcat ... and therefore there is no security requirement for this action

Can you please open a PR

[strehle]

@torsten-sap FYI for SAP , @Tallicia for VMware