PKCS12 algorithm not supported on FIPS enabled Bionic stemcell

[friegger]

What version of the credhub server you are using?
2.12.6

What version of the credhub cli you are using?
Not relevant.

If you were attempting to accomplish a task, what was it you were attempting to do?
Deploy credhub with a FIPS enabled Bionic stemcell.

What did you expect to happen?
It starts and runs successfully.

What was the actual behavior?
It failed in the pre-start script with the following error:

[2022-08-04T04:50:09.110563993Z] ________________________________________________________________________________
[2022-08-04T04:50:09.349941968Z] 139918789951936:error:060740A0:digital envelope routines:EVP_PBE_CipherInit:unknown cipher:../crypto/evp/evp_pbe.c:114:
[2022-08-04T04:50:09.350050926Z] 139918789951936:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:../crypto/pkcs12/p12_decr.c:41:
[2022-08-04T04:50:09.350075960Z] 139918789951936:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:../crypto/pkcs12/p12_decr.c:144:
[2022-08-04T04:50:09.350094079Z] 139918789951936:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:../crypto/pkcs12/p12_add.c:119:

This is same error that occurs with the UAA release on a FIPS enabled Bionic stemcell: cloudfoundry/uaa-release#358. There is also a potential fix linked, which might be applicable to credhub as well.

Please confirm where necessary:

• I have included a log output
• My log includes an error message
• I have included steps for reproduction

If you are a PCF customer with an Operation Manager (PCF Ops Manager) please direct your questions to support (https://support.pivotal.io/)

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

[Tallicia]

This has been prioritzed.

[peterhaochen47]

Hi @rkoster, about this issue. We have a proposal we want to run by you:

• So given that there's significant work involved in reproducing the issue described & validating solutions (obtaining a GCP fips-enabled bionic GCP stemcell, or setting up AWS testing infra, etc), we are considering applying the same fix in UAA to CredHub without reproduction or validation. Instead, we will make sure that the fix does not create any regressions (via our CI), and we will rely on OSS community to validate that the fix works.
• By doing this, we accept certain risks that the proposed fix might stop working in the future (as we won't have a long term CI job to continuously test this compatibility), so we will again rely on the OSS community to report any break in compatibility.
• This proposal is based on the fact that our team's bandwidth is limited. If the CF org / our org decides that it is critical to continuously guarantee compatibility with all FIPS-enabled stemcell versions, our team can invest in building that CI job (which will involve learning how to build stemcells, or setting up AWS, etc.).

What do you think?

--- @xandroc and I

[rkoster]

Leaving FIPS testing up to the people who run FIPS is totally acceptable. @beyhan, could you check if SAP is interested in prioritizing getting a GCP FIPS stemcell made for OSS testing. This should not block applying the fix.

[swalchemist]

@beyhan @friegger Closing the issue - again, we don't have the means to test it. Let us know if you have any more trouble with it.