+++ This bug was initially created as a clone of Bug #1460671 +++
Description of problem:
If install Extension, wala will run openssl pkcs12 to generate certificate, which goes wrong in FIPS mode.
Version-Release number of selected component (if applicable):
WALinuxAgent-2.2.12-1
RHEL Version:
RHEL-6.9
How reproducible:
100%
Steps to Reproduce:
1. Prepare a VM in Azure. Enable FIPS follow the document: https://access.redhat.com/solutions/137833
1). yum install dracut-fips
2). mv -v /boot/initramfs-$(uname -r).img{,.bak}
dracut
3). grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
uuid=$(findmnt -no uuid /boot)
[[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid}
4). reboot
2. Run "reset remote access" to install an Extension into the VM. There's no error logs in waagent.log
3. Set "OS.EnableFIPS=y" in /etc/waagent.conf. Restart waagent service
4. Check if the extension works. Check /var/log/waagent.log
Actual results:
The extension doesn't work. The waagent -run-exthandler process keeps restarting.
There're error logs in waagent.log:
2017/06/09 18:41:23.406056 WARNING Server preferred version:2015-04-05
2017/06/09 18:41:28.146195 ERROR Command: '/usr/bin/openssl cms -decrypt -in /var/lib/waagent/Certificates.p7m -inkey /var/lib/waagent/TransportPrivate.pem -recip /var/lib/waagent/TransportCert.pem | /usr/bin/openssl pkcs12 -nodes -password pass: -out /var/lib/waagent/Certificates.pem'
2017/06/09 18:41:28.184821 ERROR Return code: 1
2017/06/09 18:41:28.195972 ERROR Result: MAC verified OK
Error outputting keys and certificates
140308542494624:error:060740A0:digital envelope routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:181:
140308542494624:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:87:
140308542494624:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
2017/06/09 18:41:28.306785 ERROR Failed to run 'run-exthandlers': Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/azurelinuxagent/agent.py", line 147, in main
agent.run_exthandlers()
File "/usr/lib/python2.7/site-packages/azurelinuxagent/agent.py", line 117, in run_exthandlers
update_handler.run()
File "/usr/lib/python2.7/site-packages/azurelinuxagent/ga/update.py", line 236, in run
get_monitor_handler().run()
File "/usr/lib/python2.7/site-packages/azurelinuxagent/ga/monitor.py", line 96, in run
self.init_sysinfo()
File "/usr/lib/python2.7/site-packages/azurelinuxagent/ga/monitor.py", line 121, in init_sysinfo
protocol = self.protocol_util.get_protocol()
File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/util.py", line 261, in get_protocol
self.protocol = self._detect_protocol(protocols)
File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/util.py", line 183, in _detect_protocol
return self._detect_wire_protocol()
File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/util.py", line 152, in _detect_wire_protocol
protocol.detect()
File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 99, in detect
self.client.update_goal_state(forced=True)
File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 729, in update_goal_state
self.update_certs(goal_state)
File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 688, in update_certs
self.certs = Certificates(self, xml_text)
File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 1147, in __init__
self.parse(xml_text)
File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 1218, in parse
thumbprint = thumbprints[pubkey]
KeyError: u'-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAocW4DnlCqiI8MrQAj8ec\nZACpCKUwPCPg3vDYGLdwqvKs9H9bMxy1cXzgGFnPgfG/azfyzB3kbDlW+I9DMLq9\nw2ntdRdDn2esLlToWymQcQjs0FesvJhppgJSe0hOlUCBBgmWqFC1Lfom+SGDnxeR\nkc6z42ExX4VPRvNKeU7yZwoOqpTZmy2FXNxVe3db0nB87ZRRy15gXjHICFPMG4HV\nsPI/xDttaqTLlzmmGVh36oxE8WVCNiTarTOTNfA4udNmk07Xw2Y3lrms28jr2AKj\ngxpI+IUraN8reLUVNmkumeNwEl0ttdv6ngltkGCoNh+3lKVpnugahB+GCQ5hamCe\nGQIDAQAB\n-----END PUBLIC KEY-----\n'
Expected results:
The extension can work well in FIPS mode.
Additional info:
1. I ran this command manually and it also didn't work.
1). export OPENSSL_FIPS=1
2). Run command:
# /usr/bin/openssl cms -decrypt -in /var/lib/waagent/Certificates.p7m -inkey /var/lib/waagent/TransportPrivate.pem -recip /var/lib/waagent/TransportCert.pem | /usr/bin/openssl pkcs12 -nodes -password pass: -out /var/lib/waagent/Certificates.pem
3. Output:
MAC verified OK
Error outputting keys and certificates
140520158844832:error:060740A0:digital envelope
routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:181:
140520158844832:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor
cipherinit error:p12_decr.c:87:
140520158844832:error:2306A075:PKCS12
routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
2. It also impact the VM provisioning if authenticate with ssh key in FIPS mode.
--- Additional comment from Red Hat Bugzilla Rules Engine on 2017-06-12 07:35:19 EDT ---
Since this bug report was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.