Skip to content

FIPS build broken on RHEL9 host platforms

Problem

API Security supports running in a FIPS environment through a custom FIPS container image based on UBI9. This requires a host running Redhat Enterprise Linux (RHEL) v8 or 9. Until recently our testing has been exclusively with RHEL8. When we started using RHEL9 it was found our FIPS image doesn't work correctly. The scanner fails to startup due to an exception while loading 3rd party dependencies. This manifests as a connection error to http://127.0.0.1:5000. Looking at the scanner log file, an exception will be logged causing the scanner to not startup.

Unhandled exception. Interop+Crypto+OpenSslCryptographicException: error:020000AD:rsa routines::invalid key length
   at Interop.Crypto.DecodeSubjectPublicKeyInfo(ReadOnlySpan`1 source, EvpAlgorithmId algorithmId)
   at System.Security.Cryptography.RSAImplementation.RSAOpenSsl.ImportParameters(RSAParameters parameters)
   at Newtonsoft.Json.Schema.Infrastructure.Licensing.CryptographyHelpers.ValidateData(Byte[] data, Byte[] signature)
   at Newtonsoft.Json.Schema.Infrastructure.Licensing.LicenseHelpers.ReadLicenseData(DateTime releaseDate, String licenseBase64, Int32 licenseId)
   at Newtonsoft.Json.Schema.Infrastructure.Licensing.LicenseHelpers.RegisterLicense(String license, DateTime releaseDate)
   at Newtonsoft.Json.Schema.Infrastructure.Licensing.LicenseHelpers.RegisterLicense(String license)
   at Newtonsoft.Json.Schema.License.RegisterLicense(String license)
   at Peach.Web.JsonSchemaInitializer.RegisterNewtonsoftJsonSchemaLicense() in /builds/gitlab-org/security-products/analyzers/api-fuzzing-src/web/PeachWeb/Startup.cs:line 318
   at Peach.Web.Program.Main(String[] args) in /builds/gitlab-org/security-products/analyzers/api-fuzzing-src/web/PeachWeb/Program.cs:line 45

Workaround

If a customer runs into this issue, they will need to create a new FIPS runner using RHEL8 and assign it a tag that can be used to limit the runner to use with API Security jobs.

Proposal

  1. Open an issue with the upstream project.
    1. Upstream project issue
    2. Emailed support (this is a licensed dependency) on 17/05/2024
  2. Investigate the issue and look for a workaround.
  3. Expand our e2e testing to use both RHEL8 and RHEL9
Edited by Michael Eddington