Bug 2132694

Summary: GOLANG_FIPS=1 go get fails with "x509: certificate specifies an incompatible key usage" [rhel-8.8]
Product: Red Hat Enterprise Linux 8 Reporter: Edjunior Barbosa Machado <emachado>
Component: golangAssignee: David Benoit <dbenoit>
Status: CLOSED ERRATA QA Contact: Edjunior Barbosa Machado <emachado>
Severity: unspecified Docs Contact: Jacob Taylor Valdez <jvaldez>
Priority: unspecified    
Version: 8.8CC: asm, danken, dbenoit, emachado, igkioka, sipoyare, tstellar
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: go-toolset:rhel8:8080020221017124915:17f3f959 Doc Type: Bug Fix
Doc Text:
.`golang` now supports 4096 bit keys in x509 FIPS mode Previously, `golang` did not support the 4096 bit keys in x509 FIPS mode. Consequently, when the user used 4096 bit keys the program crashed. With this update, `golang` now supports 4096 bit keys in x509 FIPS mode.
 Story Points: ---
Clone Of:
: 2133019 (view as bug list) Environment:
Last Closed: 2023-05-16 08:24:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2133019    

Description Edjunior Barbosa Machado 2022-10-06 12:15:39 UTC 
Description of problem:
When GOLANG_FIPS=1 is defined, 'go get' from golang-1.19.1-2.module+el8.8.0+16778+5fbb74f5 fails with the following:

[root@hpe-apollo-cn99xx-14-vm-25 ~]# mkdir test; cd test
[root@hpe-apollo-cn99xx-14-vm-25 test]# go mod init test
go: creating new go.mod: module test
[root@hpe-apollo-cn99xx-14-vm-25 test]# GOLANG_FIPS=1 go get golang.org/x/net/html
go: module golang.org/x/net/html: Get "https://proxy.golang.org/golang.org/x/net/html/@v/list": x509: certificate specifies an incompatible key usage
[root@hpe-apollo-cn99xx-14-vm-25 test]# 

'go get' works as expected when not using GOLANG_FIPS=1:

[root@hpe-apollo-cn99xx-14-vm-25 test]# go get golang.org/x/net/html
go: downloading golang.org/x/net v0.0.0-20221004154528-8021a29435af
go: added golang.org/x/net v0.0.0-20221004154528-8021a29435af
[root@hpe-apollo-cn99xx-14-vm-25 test]# 

On s390x, the error message is slightly different, possibly also related to bug #1969844:

[root@s390x-kvm-061 test]# GOLANG_FIPS=1 go get -v golang.org/x/net/html
go: module golang.org/x/net/html: Get "https://proxy.golang.org/golang.org/x/net/html/@v/list": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "GTS CA 1C3")
[root@s390x-kvm-061 test]# go get -v golang.org/x/net/html
go: downloading golang.org/x/net v0.0.0-20221004154528-8021a29435af
go: added golang.org/x/net v0.0.0-20221004154528-8021a29435af
[root@s390x-kvm-061 test]# 

This issue is not reproducible with previous golang-1.18.4-1.module+el8.7.0+16015+724888d8 (go-toolset-rhel8-8070020220720230209.347cc21f).

Version-Release number of selected component (if applicable):
golang-1.19.1-2.module+el8.8.0+16778+5fbb74f5
go-toolset:rhel8:8080020220930130611:17f3f959
RHEL-8.8.0-20220929.2
Comment 5 Dan Kenigsberg 2022-10-24 08:25:20 UTC 
I am told that this bug affects RHEL-8.6, too, and therefore OCP-4.12. Can this be backported?
Comment 6 Edjunior Barbosa Machado 2022-10-24 11:28:24 UTC 
(In reply to Dan Kenigsberg from comment #5)
> I am told that this bug affects RHEL-8.6, too, and therefore OCP-4.12. Can
> this be backported?

I was unable to reproduce this with rhel-8.6 latest released golang-1.17.12-1.module+el8.6.0+16014+a372c00b (go-toolset-rhel8-8060020220720230014.97d7f71f) on RHEL-8.6.0-updates-20221019.0.
Could you please confirm which version of golang package is being used?
Comment 7 Motty Sisam 2022-10-24 12:28:33 UTC 
I was able to reproduce in OCP-4.12 (rhel-8.6) 

1. creating debug pod with admin privileges: 
$ oc debug deployment/cluster-cloud-controller-manager-operator --as-root -n openshift-cloud-controller-manager-operator

2. install gdb 
sh-4.4# yum install gdb -y

3. check go runtime version of the operator: 
sh-4.4# gdb /cluster-controller-manager-operator -ex "p 'runtime.buildVersion'" -ex q


output:
$1 = 0x1a65878 "go1.19.1"
Comment 8 Edjunior Barbosa Machado 2022-10-24 12:48:25 UTC 
(In reply to Motty Sisam from comment #7)
> output:
> $1 = 0x1a65878 "go1.19.1"

I'm not familiar with ocp environment, but judging by this output, it is probably using a newer version of golang. RHEL-8.6 shipped go 1.17, whereas go 1.19 was just recently introduced with RHEL-8.8 builds.
Comment 14 Jacob Taylor Valdez 2023-04-19 05:42:55 UTC 
I've seen David ack the doc text in the verbatim RHEL 9 version of this bug. Setting r_d_t
Comment 16 errata-xmlrpc 2023-05-16 08:24:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (go-toolset:rhel8 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2761
Comment 17 Red Hat Bugzilla 2023-09-19 04:27:57 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days