Bug 2007850 - FIPS jobs are failing a test trying to use a 1024-bit DSA key
Summary: FIPS jobs are failing a test trying to use a 1024-bit DSA key
Keywords:
Status: CLOSED DUPLICATE of bug 1960674
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Test Framework
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.10.0
Assignee: Stephen Benjamin
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-25 13:39 UTC by Stephen Benjamin
Modified: 2021-11-10 14:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
job=periodic-ci-openshift-release-master-nightly-4.10-e2e-azure-fips-serial=all job=periodic-ci-openshift-release-master-nightly-4.10-e2e-openstack-fips=all job=periodic-ci-openshift-release-master-nightly-4.10-e2e-aws-fips-serial=all job=periodic-ci-openshift-release-master-nightly-4.10-e2e-gcp-fips-serial=all
Last Closed: 2021-11-10 14:22:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 26485 0 None open Bug 2007850: Revert "images: port image signature workflow test to OCP4/UBcI8" 2021-10-06 12:58:40 UTC

Description Stephen Benjamin 2021-09-25 13:39:57 UTC
periodic-ci-openshift-release-master-nightly-4.10-e2e-openstack-fips

is failing frequently in CI, see:
https://testgrid.k8s.io/redhat-openshift-ocp-release-4.10-informing#periodic-ci-openshift-release-master-nightly-4.10-e2e-openstack-fips

The test failing is:
[sig-imageregistry][Serial][Suite:openshift/registry/serial] Image signature workflow can push a signed image to openshift registry and verify it [Suite:openshift/conformance/serial]

It appears to be from this test's generation of a dummy GPG key

STEP: creating dummy GPG key
Sep 22 21:21:19.847: INFO: Running 'oc --namespace=e2e-test-registry-signing-2rrsz --kubeconfig=/tmp/configfile304355208 exec sign-and-push -- /bin/bash -c rm -f /dev/random; ln -sf /dev/urandom /dev/random && GNUPGHOME=/var/lib/origin/gnupg gpg2 --batch --gen-key --pinentry-mode=loopback --passphrase '' dummy_key.conf && GNUPGHOME=/var/lib/origin/gnupg gpg2 --output=gnupg/pubring.gpg --export joe'
Sep 22 21:21:20.573: INFO: Error running /usr/bin/oc --namespace=e2e-test-registry-signing-2rrsz --kubeconfig=/tmp/configfile304355208 exec sign-and-push -- /bin/bash -c rm -f /dev/random; ln -sf /dev/urandom /dev/random && GNUPGHOME=/var/lib/origin/gnupg gpg2 --batch --gen-key --pinentry-mode=loopback --passphrase '' dummy_key.conf && GNUPGHOME=/var/lib/origin/gnupg gpg2 --output=gnupg/pubring.gpg --export joe:
StdOut>
gpg: out of core handler ignored in FIPS mode
gpg: WARNING: unsafe permissions on homedir '/var/lib/origin/gnupg'
gpg: keybox '/var/lib/origin/gnupg/pubring.kbx' created
gpg: Generating openpgp key ...
gpg: agent_genkey failed: Invalid value
gpg: key generation failed: Invalid value
gpg: done
command terminated with exit code 2
StdErr>
gpg: out of core handler ignored in FIPS mode
gpg: WARNING: unsafe permissions on homedir '/var/lib/origin/gnupg'
gpg: keybox '/var/lib/origin/gnupg/pubring.kbx' created
gpg: Generating openpgp key ...
gpg: agent_genkey failed: Invalid value
gpg: key generation failed: Invalid value
gpg: done
command terminated with exit code 2

Comment 1 Stephen Benjamin 2021-09-25 13:54:25 UTC
Not just openstack, all FIPS jobs also failing. This seems to be because the config specifies to create a 1024-bit DSA key.

FIPS requires 2048-bit, per https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf (p9, Approval Status of Algorithms Used for Digital Signature 
Generation and Verification)

Comment 2 Colin Walters 2021-09-27 12:46:11 UTC
Nice find, this looks like a useful find from the periodic variants *and* a demonstration of why some organizations want to use FIPS - to be sure there isn't legacy code generating very weak keys or with long broken ciphers, etc.

Comment 4 Stephen Benjamin 2021-11-10 14:22:30 UTC
This was corrected in https://github.com/openshift/origin/pull/26510

*** This bug has been marked as a duplicate of bug 1960674 ***


Note You need to log in before you can comment on or make changes to this bug.