Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make certificate generation FIPS compliant #378

Merged
merged 2 commits into from
Sep 23, 2024
Merged

Make certificate generation FIPS compliant #378

merged 2 commits into from
Sep 23, 2024
+155 −6

Conversation

weinimo
Copy link
Collaborator

@weinimo weinimo commented Sep 16, 2024
edited by openshift-ci bot
Loading

This uses PKCS#8 private key encryption now, which is FIPS compliant.

OSPRH-9709
OSPRH-6237

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 16, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 16, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: weinimo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

johnsom
johnsom reviewed Sep 16, 2024
View reviewed changes
pkg/octavia/pem_decrypt_fips.go Outdated Show resolved Hide resolved
pkg/octavia/amphora_certs.go Outdated Show resolved Hide resolved
@weinimo
Make certificate generation FIPS compliant
014f603 
Golang's own, deprecated x509.EncryptPEMBlock
function uses MD5, which is forbidden in FIPS
mode. This change copies the problematic
function and modifies it so that it uses SHA256
instead of MD5.
@weinimo weinimo marked this pull request as ready for review September 17, 2024 15:30
@gthiemonge
Copy link
Contributor

/lgtm

tested in non-FIPS env, no regression

@openshift-ci openshift-ci bot added the lgtm label Sep 23, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit 5d1ca71 into main Sep 23, 2024
8 checks passed
@openshift-merge-bot openshift-merge-bot bot deleted the cert-fips-fix branch September 23, 2024 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnsom johnsom johnsom left review comments

@beagles beagles Awaiting requested review from beagles

@gibizer gibizer Awaiting requested review from gibizer

Assignees

@gthiemonge gthiemonge

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@weinimo @gthiemonge @johnsom @openshift-merge-robot