1746518 – Tangd cannot generate usable keys when FIPS is enabled

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1746518 - Tangd cannot generate usable keys when FIPS is enabled

Summary: Tangd cannot generate usable keys when FIPS is enabled

Keywords:
Status:	CLOSED DUPLICATE of bug 1703445
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	tang
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Sergio Correia
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-28 16:27 UTC by Megan Towey
Modified:	2019-10-02 12:44 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-10-02 12:44:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Megan Towey 2019-08-28 16:27:39 UTC

Description of problem:
When FIPS is enabled, tangd fails to generate usable keys. Any attempts to encrypt files or perform a LUKS bind with clevis will fail as a result. 

Version-Release number of selected component (if applicable):

kernel-3.10.0-1062.el7.x86_64
tang-6-1.el7.x86_64
dracut-fips-aesni-033-564.el7.x86_64
fipscheck-1.4.1-6.el7.x86_64
dracut-fips-033-564.el7.x86_64
fipscheck-lib-1.4.1-6.el7.x86_64


How reproducible:
Every time you try to use keys generated by tang when FIPS is enabled. 

Steps to Reproduce:
1. Enable FIPS
2. Install tang, generate keys
3. Attempt to use clevis to encrypt a file (either on localhost or separate system with clevis installed)

Actual results:

[root@fips77server ~]# sysctl crypto.fips_enabled
crypto.fips_enabled = 1
[root@fips77server ~]# rm /var/db/tang/*
rm: remove regular file ‘/var/db/tang/cUAjXN-ka1NqKOBghS_9RW58ito.jwk’? y
rm: remove regular file ‘/var/db/tang/LcusJ-773Zf9JMcleBEWLsimvp8.jwk’? y
[root@fips77server ~]# systemctl restart tangd.socket
[root@fips77server ~]# ls /var/db/tang/
-3SF-7wQoXguTlv-EXeM3MGjeXs.jwk  n16ZY2jyfZ3X2WO2IFfoAvcHjRo.jwk
[root@fips77server ~]# clevis encrypt tang '{"url":"localhost"}' < plain3.txt
The advertisement contains the following signing keys:

-3SF-7wQoXguTlv-EXeM3MGjeXs

Do you wish to trust these keys? [ynYN] y
[root@fips77server ~]# echo $?
1
[root@fips77server ~]# 


Expected results:

[root@fips77server ~]# clevis encrypt tang '{"url":"localhost"}' < plain3.txt
The advertisement contains the following signing keys:

GA7-x9s1HROERB0lDe2lticfN-8

Do you wish to trust these keys? [ynYN] y
eyJhbGciOiJFQ0RILUVTIiwiY2xldmlzIjp7InBpbiI6InRhbmciLCJ0YW5nIjp7ImFkdiI6eyJrZXlzIjpbeyJhbGciOiJFUzUxMiIsImNydiI6IlAtNTIxIiwia2V5X29wcyI6WyJ2ZXJpZnkiXSwia3R5IjoiRUMiLCJ4IjoiQUVndU95bER5cjFfdFZPSXpFZDJMQWNFWGdPNjJpWTFEN2J2YTE0SGNsd3dNbU9JWkE0X01JbVRnWFZoWldtY3JhVU9qSWF0RjQxbVo4UkpTY05ldUJDVyIsInkiOiJBSTRNN000dS1Za1ZIWmdKWE5tUGxBUmF6eVY0dGQ3dU56aUUzaUZkQUdBT2M3WWhpMi1kTTdJMVllUnJTOTA5MzZXd0h5R2FSRXk1TEF4cXRzbi1pYm5qIn0seyJhbGciOiJFQ01SIiwiY3J2IjoiUC01MjEiLCJrZXlfb3BzIjpbImRlcml2ZUtleSJdLCJrdHkiOiJFQyIsIngiOiJBZlNzaGg1Z2ttbEtNZU5GMnNnaXVqZk41LUIzTU00ZHlpTU1PcWFCek9UR3VkLTBIdDVQOEJsYnRfWlljOUF6dzBMdmZvQnVxVWxYNTdHTUpQYzc3NnRMIiwieSI6IkFRRHFqMU1aVncweHhRWlZkME1Ca1ZtMVpTMWNIVmp3NjZGd2UyTDJ5b2xIcVBFUC0zZ3I2WjBRU09jYVFCYjBrLVZ2Ri1YT2tCaGlxQ2hka3ZMZUh2R0YifV19LCJ1cmwiOiJsb2NhbGhvc3QifX0sImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsiY3J2IjoiUC01MjEiLCJrdHkiOiJFQyIsIngiOiJBSmNlbkx0ckE1aHpqM3RJd0MzNGVwWHF5emljQjROaWk4S3dsRTBBZmMxelRzSENxa3dWb0k3V09kSVdxWmpRNVpYN3RhU0hIUjhVUjdiVXRKakZUYU94IiwieSI6IkFjeXB1RU1xX05odm82eWZYbm9oZG80dEt0MlpiZ2FhXzJkeXJCWDYxZjRnTUJueE5hSENtRk1lZW5BaXNyS1N4azFSQUJSN2ZDUzl5ZlJHZWZqMzZ0WnQifSwia2lkIjoiWThqWXVNQXV4b2kzNExma3Q5TTRrbnY4YnM4In0..gvk_gwn7dNRKYFPj.6yLRi7C2fJFXs7JKKrZiA-6_Bn77.cW1AM8Gq1Ff4jh0jsGmZBQ
[root@fips77server ~]# echo $?
0


Additional info:
There is a workaround available, involving generating a key on a non-FIPS enabled system and moving it over to the FIPS enabled server or disabling, generating keys, and re-enabling FIPS. 

If any additional data is required, I can provide it. I have a few VMs set up for reproducing this issue.

Comment 2 Sergio Correia 2019-09-17 14:11:46 UTC

(In reply to Megan Towey from comment #0)

[snip]
> [root@fips77server ~]# clevis encrypt tang '{"url":"localhost"}' < plain3.txt
> The advertisement contains the following signing keys:
> 
> -3SF-7wQoXguTlv-EXeM3MGjeXs
> 
> Do you wish to trust these keys? [ynYN] y
> [root@fips77server ~]# echo $?
> 1
> [root@fips77server ~]# 

Hi Megan, could you please try the following:

# systemctl restart tangd-update.service

and then try again the clevis encrypt command?

Comment 3 Megan Towey 2019-09-17 14:52:47 UTC

Hey Sergio,

Looks like that succeeded:

[root@fips77server ~]# sysctl crypto.fips_enabled
crypto.fips_enabled = 1
[root@fips77server ~]# systemctl restart tangd.socket
[root@fips77server ~]# ls /var/db/tang/
c2yj5LMHCEE_p03J4KWdviGnZBk.jwk  ty6HKTRwTdKFsloOWso0hX9SxwY.jwk
[root@fips77server ~]# clevis encrypt tang '{"url":"192.168.100.152"}' < plain3.txt
The advertisement contains the following signing keys:

c2yj5LMHCEE_p03J4KWdviGnZBk

Do you wish to trust these keys? [ynYN] y
[root@fips77server ~]# echo $?
1
[root@fips77server ~]# systemctl restart tangd-update.service
[root@fips77server ~]# clevis encrypt tang '{"url":"192.168.100.152"}' < plain3.txt
The advertisement contains the following signing keys:

c2yj5LMHCEE_p03J4KWdviGnZBk

Do you wish to trust these keys? [ynYN] y
eyJhbGciOiJFQ0RILUVTIiwiY2xldmlzIjp7InBpbiI6InRhbmciLCJ0YW5nIjp7ImFkdiI6eyJrZXlzIjpbeyJhbGciOiJFUzUxMiIsImNydiI6IlAtNTIxIiwia2V5X29wcyI6WyJ2ZXJpZnkiXSwia3R5IjoiRUMiLCJ4IjoiQWFsNzVVQWVfc0NnVTFneGJFeURTRFdDblpGWFR2V0pGTWw0V3JCYy1GeDkzX2syUXhXZFB5dURiMW1uZHlSdXVSWFprMzZsVUtmaWRTZTZjcjFSUWlKTSIsInkiOiJBV1p6d3cxMDZ1Z2IyS1pMVEZVUDFLSlNWc2psUm1oNUtlZVVKMlhsRVB6Qi1FQkJMNXBzNS1NMmZFc3NzeFE0d1ZacEVKdUM4OXJodlZiTWJBV1dWY2JjIn0seyJhbGciOiJFQ01SIiwiY3J2IjoiUC01MjEiLCJrZXlfb3BzIjpbImRlcml2ZUtleSJdLCJrdHkiOiJFQyIsIngiOiJBRjJhbElscmhqOUVvcHlxZ2pwdXppbG9VVFpUMGt5Y2FRZ3hKek5IY1JjektHbF9PZGxFN1YxVThGZ2RCUjVfaU11UUY3UlgzWGJfOW1JWUhqNVZEbzc1IiwieSI6IkFHdFpGS2J3akhnaEJFdmluYW5zX1lnb2xFN0gwNjZndXp3X0o5Y2hwcWd0LWFZVTBZZXpUSXBpUzdBVW5kd0cwbXR1c2xrOXUzZ3BxaDV4Sk1qdWx5bjMifV19LCJ1cmwiOiIxOTIuMTY4LjEwMC4xNTIifX0sImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsiY3J2IjoiUC01MjEiLCJrdHkiOiJFQyIsIngiOiJBWkZUNmliSUtTTjNCRWtDd3YtNlJKaWRNYjFKTUpoei1ROC1laUFhNVN0bjVhNHI3M0I1Ujktam92VHNjQ2FIVlFYc1c3b2ZQcWZCNHl0OWVaZWp5cWxXIiwieSI6IkFDck9QZDRncmtkMEhOSkUzU0NZUk5BZEN5aTVna2ljZVdmWnZ1SmMxTFlYeGdYVU41bXlyal9yc0djLS10MjdtM3QydjFkeDVHelNDem43Z1BWckpzWWMifSwia2lkIjoidHk2SEtUUndUZEtGc2xvT1dzbzBoWDlTeHdZIn0..M9-OapEUL0iaex4U.JrkbQb9l0MzvumIyuFXFn-xGdwYm.01s2xKUtOUMdMIoX6QDdfw


Also confirmed the same was the case when the clevis client was on a separate system. 
Can you explain why restarting that service was necessary?

Comment 4 Sergio Correia 2019-09-17 19:27:29 UTC

Glad to know it worked. This seems to be the bug described in https://github.com/latchset/tang/issues/23

The proper solution will probably involve moving the generation of keys into tang itself, as Nathaniel suggested in one of the comments.

Comment 5 Sergio Correia 2019-10-02 12:44:50 UTC

As this is not FIPS-specific, I am closing this as a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1703445.

*** This bug has been marked as a duplicate of bug 1703445 ***

Note You need to log in before you can comment on or make changes to this bug.