Bug 1510156
Summary: | RSA PKCS#1 v1.5 signatures made using rsa-pss keys are accepted as valid [rhel-7] | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Hubert Kario <hkario> | |
Component: | nss | Assignee: | Daiki Ueno <dueno> | |
Status: | CLOSED ERRATA | QA Contact: | Hubert Kario <hkario> | |
Severity: | unspecified | Docs Contact: | Tomas Capek <tcapek> | |
Priority: | medium | |||
Version: | 7.5 | CC: | dueno, hkario, lmanasko, mjahoda, yzimmerm | |
Target Milestone: | rc | Keywords: | Reopened, Triaged | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | nss-3.43.0-2.el7 | Doc Type: | Bug Fix | |
Doc Text: |
.NSS no longer accepts RSA PKCS#1 v1.5 signatures made with an RSA-PSS key
RSA-PSS keys can be used for creating RSA-PSS signatures only and signatures made with those keys that use the PKCS#1 v1.5 algorithm violate the standard. Previously, the Network Security Services (NSS) libraries did not check the type of an RSA public key used by a server when validating signatures made using a corresponding private key. Consequently, NSS accepted RSA PKCS#1 v1.5 signatures as valid, even if they were made with an RSA-PSS key.
The bug has been fixed and the NSS libraries now properly check the type of RSA public keys used by a server when validating signatures made using a corresponding private key. As a result, the signatures in this scenario are no longer accepted by NSS.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1601056 (view as bug list) | Environment: | ||
Last Closed: | 2019-08-06 13:08:26 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1645231 | |||
Bug Blocks: | 1457751, 1601056 |
Description
Hubert Kario
2017-11-06 19:46:39 UTC
Hi Hubert, Since this BZ should be described in the RHEL 7.5 Release Notes, could you please fill the Doc Text using the template? I'm not sure if I would be able to use 100% accurate wording using just the first comment. This should be fixed with the next rebase. This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2237 |