Bug 2133019

Summary: GOLANG_FIPS=1 go get fails with "x509: certificate specifies an incompatible key usage" [rhel-9.2]
Product: Red Hat Enterprise Linux 9 Reporter: Edjunior Barbosa Machado <emachado>
Component: golangAssignee: David Benoit <dbenoit>
Status: CLOSED ERRATA QA Contact: Edjunior Barbosa Machado <emachado>
Severity: unspecified Docs Contact: Petr Hybl <phybl>
Priority: unspecified    
Version: 9.2CC: asm, dbenoit, emachado, jvaldez, nmanos, phybl, sipoyare, stbenjam, tjungblu, tstellar, wking
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: golang-1.19.2-2.el9 Doc Type: Bug Fix
Doc Text:
.`golang` now supports 4096 bit keys in x509 FIPS mode Previously, `golang` did not support the 4096 bit keys in x509 FIPS mode. Consequently, when the user used 4096 bit keys the program crashed. With this update, `golang` now supports 4096 bit keys in x509 FIPS mode.
 Story Points: ---
Clone Of: 2132694 Environment:
Last Closed: 2023-05-09 07:29:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2132694    
Bug Blocks: 2134625    

Description Edjunior Barbosa Machado 2022-10-07 13:45:06 UTC 
Also reproducible with golang-1.19.1-2.el9 on RHEL-9.2.0-20221005.0:

[root@muflon-2 test]# OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go get golang.org/x/net/html
go: module golang.org/x/net/html: Get "https://proxy.golang.org/golang.org/x/net/html/@v/list": x509: certificate specifies an incompatible key usage


+++ This bug was initially created as a clone of Bug #2132694 +++

Description of problem:
When GOLANG_FIPS=1 is defined, 'go get' from golang-1.19.1-2.module+el8.8.0+16778+5fbb74f5 fails with the following:

[root@hpe-apollo-cn99xx-14-vm-25 ~]# mkdir test; cd test
[root@hpe-apollo-cn99xx-14-vm-25 test]# go mod init test
go: creating new go.mod: module test
[root@hpe-apollo-cn99xx-14-vm-25 test]# GOLANG_FIPS=1 go get golang.org/x/net/html
go: module golang.org/x/net/html: Get "https://proxy.golang.org/golang.org/x/net/html/@v/list": x509: certificate specifies an incompatible key usage
[root@hpe-apollo-cn99xx-14-vm-25 test]# 

'go get' works as expected when not using GOLANG_FIPS=1:

[root@hpe-apollo-cn99xx-14-vm-25 test]# go get golang.org/x/net/html
go: downloading golang.org/x/net v0.0.0-20221004154528-8021a29435af
go: added golang.org/x/net v0.0.0-20221004154528-8021a29435af
[root@hpe-apollo-cn99xx-14-vm-25 test]# 

On s390x, the error message is slightly different, possibly also related to bug #1969844:

[root@s390x-kvm-061 test]# GOLANG_FIPS=1 go get -v golang.org/x/net/html
go: module golang.org/x/net/html: Get "https://proxy.golang.org/golang.org/x/net/html/@v/list": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "GTS CA 1C3")
[root@s390x-kvm-061 test]# go get -v golang.org/x/net/html
go: downloading golang.org/x/net v0.0.0-20221004154528-8021a29435af
go: added golang.org/x/net v0.0.0-20221004154528-8021a29435af
[root@s390x-kvm-061 test]# 

This issue is not reproducible with previous golang-1.18.4-1.module+el8.7.0+16015+724888d8 (go-toolset-rhel8-8070020220720230209.347cc21f).

Version-Release number of selected component (if applicable):
golang-1.19.1-2.module+el8.8.0+16778+5fbb74f5
go-toolset:rhel8:8080020220930130611:17f3f959
RHEL-8.8.0-20220929.2
Comment 1 Stephen Benjamin 2022-10-13 11:43:21 UTC 
We are seeing this on OCP now as well, when trying to hit compute.googleapis.com -- reproducer below.  This has broken all 4.12 FIPS jobs on GCP.


[root@localhost ~]# podman run -it -e /bin/bash registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.19-openshift-4.12
[root@de4c8e75da02 foo]# cat /proc/sys/crypto/fips_enabled 
1
[root@de4c8e75da02 foo]# cat go.mod
module example.com/tls

go 1.19
[root@de4c8e75da02 foo]# cat main.go
package main

import (
    "log"
    "crypto/tls"
)

func main() {
    log.SetFlags(log.Lshortfile)

    conf := &tls.Config{}
    conn, err := tls.Dial("tcp", "compute.googleapis.com:443", conf)
    if err != nil {
        log.Println(err)
        return
    }
    defer conn.Close()

    n, err := conn.Write([]byte("GET /\n"))
    if err != nil {
        log.Println(n, err)
        return
    }

    buf := make([]byte, 100)
    n, err = conn.Read(buf)
    if err != nil {
        log.Println(n, err)
        return
    }

    println(string(buf[:n]))
}
[root@de4c8e75da02 foo]# go run main.go
main.go:14: x509: certificate specifies an incompatible key usage
Comment 3 Noam Manos 2022-10-19 16:46:59 UTC 
We're seeing similar issue of "x509: certificate specifies an incompatible key usage":
https://bugzilla.redhat.com/show_bug.cgi?id=2134625

For us it started to happen around the date 2022-10-04, using OCP 4.10 cluster with FIPS on compute.googleapis.com.
Comment 4 Stephen Kitt 2022-10-20 08:21:25 UTC 
*** Bug 2134625 has been marked as a duplicate of this bug. ***
Comment 6 Motty Sisam 2022-10-21 11:42:11 UTC 
Update:
After a short conversation with dbenoit he said that it will be fixed in Rhel today and tagged probably around Monday~

Thanks David!
Comment 15 errata-xmlrpc 2023-05-09 07:29:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (delve, golang, and go-toolset bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2181