Bug 1912493

Summary: pkispawn reports incorrect FIPS mode
Product: Red Hat Enterprise Linux 8 Reporter: Pritam Singh <prisingh>
Component: pki-coreAssignee: Pritam Singh <prisingh>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: low Docs Contact:
Priority: low    
Version: 8.4CC: aakkiang, edewata
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.6-8040020210114180044.d4d99205 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:25:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pritam Singh 2021-01-04 15:21:15 UTC 
Description of problem:
pkispawn generates 'INFO: FIPS Mode: True' even if the FIPS mode is not enabled on the machine

Version-Release number of selected component (if applicable):
pki-core-10.10.2-1.module+el8.4.0+9165+77c6d399.src.rpm

How reproducible:
Always

Steps to Reproduce:
1. Check FIPS mode is enabled or not
# fips-mode-setup --check
Installation of FIPS modules is not completed.
FIPS mode is disabled.

2. pkispawn subsystem with --debug
3. The spawn logs will generate 'INFO: FIPS Mode: True'

Actual results:
The spawn log shows 'INFO: FIPS Mode: True' for non-fips machine

Expected results:
spawn log should print 'INFO: FIPS Mode: False' for non-fips machine and vice-versa

Additional info:
Comment 1 Pritam Singh 2021-01-05 13:28:21 UTC 
commit a2b9a4b49e40ee8afa1d1da51075fc38a8241143 (HEAD -> v10.10, upstream/v10.10)
Author: Pritam Singh <prisingh>
Date:   Mon Jan 4 21:18:34 2021 +0530

    Added_boolean_fix_for_fips_check
    
    Signed-off-by: Pritam Singh <prisingh>
Comment 5 Pritam Singh 2021-01-21 09:53:18 UTC 
Tested on RHEL bits:

[root@pki1 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.10.3
Release     : 1.module+el8.4.0+9456+88377f87
Architecture: noarch
Install Date: Thu 21 Jan 2021 04:43:15 AM EST
Group       : Unspecified
Size        : 3202831
License     : GPLv2 and LGPLv2
Signature   : RSA/SHA256, Wed 20 Jan 2021 12:14:04 PM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.10.3-1.module+el8.4.0+9456+88377f87.src.rpm
Build Date  : Thu 14 Jan 2021 03:17:34 PM EST
Build Host  : arm64-026.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://www.dogtagpki.org
Summary     : PKI CA Package

Proof of concept:
The downstream pipeline triggered on RHEL bits and working fine:
https://gitlab.cee.redhat.com/prisingh/pki-pytest-ansible/-/pipelines/906244

Hence, Marking this Bugzilla as verified.
Comment 8 errata-xmlrpc 2021-05-18 15:25:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1775