Bug 1632615
| Summary: | Permit certain SHA384 FIPS ciphers to be enabled by default for RSA and ECC . . . [rhel-7.6.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | pki-core | Assignee: | Christina Fu <cfu> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 7.6 | CC: | aakkiang, cfu, cpelland, lmiksik, mharmsen, mjahoda, msauton, ssidhaye, toneata |
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.5.9-7.el7_6 | Doc Type: | No Doc Update |
| Doc Text: |
This patch adds SHA384 ciphers into the default cipher lists for both RSA and ECC.
|
Story Points: | --- |
| Clone Of: | 1554055 | Environment: | |
| Last Closed: | 2019-01-29 17:21:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1554055 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2018-09-25 08:43:51 UTC
Test Procedure See https://bugzilla.redhat.com/show_bug.cgi?id=1554055#c11 Build used for verification: root@csqa4-guest01 hsm_setup # rpm -qi pki-base Name : pki-base Version : 10.5.9 Release : 7.el7_6 Installation with RSA for CA and KRA with only SHA384 ciphers succeeded Key archival succeeded: root@csqa4-guest01 hsm_setup # pki -d /tmp/nssdb/ -c SECret.123 client-cert-request CN=foo1 --profile caSigningUserCert --type crmf ----------------------------- Submitted certificate request ----------------------------- Request ID: 14 Type: enrollment Request Status: pending Operation Result: success root@csqa4-guest01 hsm_setup # pki -d /tmp/nssdb/ -c SECret.123 -n "PKI CA Administrator for rhcs94-CA-ssidhaye" cert-request-review 14 --action approve ------------------------------- Approved certificate request 14 ------------------------------- Request ID: 14 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x553d6d1 root@csqa4-guest01 hsm_setup # pki -d /tmp/nssdb/ -c SECret.123 -p 20080 -n "PKI KRA Administrator rhcs94-KRA-ssidhaye" kra-key-find ---------------- 1 key(s) matched ---------------- Key ID: 0x1 Algorithm: 1.2.840.113549.1.1.1 Size: 1024 Owner: CN=foo1 ---------------------------- Number of entries returned 1 ---------------------------- Installation with ECC for CA and KRA with only SHA384 ciphers succeeded Followed instructions from https://www.dogtagpki.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Agent-signed_EC_cmc_request successfully submitted agent-signed CMC request root@csqa4-guest01 ecc_working_cfgs # CMCResponse -d nssdb/ -i cmc.role_p10-ec.resp Certificates: Certificate: Data: Version: v3 Serial Number: 0x8908A9B Signature Algorithm: SHA256withEC - 1.2.840.10045.4.3.2 Issuer: CN=CA Signing Certificate,OU=rhcs94-CA-ECC-ssidhaye,O=Example-rhcs94-CA Validity: Not Before: Wednesday, November 14, 2018 3:54:46 AM EST America/New_York Not After: Monday, May 13, 2019 3:54:46 AM EDT America/New_York Subject: CN=testuserEC Subject Public Key Info: Algorithm: EC - 1.2.840.10045.2.1 Public Key: 04:87:2B:D5:7E:8A:87:B0:15:2E:C4:FE:D6:E5:A5:F8: 53:42:05:AB:37:1C:35:A8:BF:6A:5F:6C:01:D2:7B:05: C7:C0:B3:99:AB:3B:7C:4B:6C:4C:F7:8B:04:28:07:C1: BF:D2:1A:EA:69:31:52:B4:07:52:3D:9A:99:B9:E7:BA: 0E Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 56:62:BA:AC:E1:81:BD:90:A7:98:AA:E9:5E:B6:F2:0B: 48:79:BE:5E Identifier: 1.3.6.1.5.5.7.1.1 Critical: no Value: 30:4A:30:48:06:08:2B:06:01:05:05:07:30:01:86:3C: 68:74:74:70:3A:2F:2F:63:73:71:61:34:2D:67:75:65: 73:74:30:31:2E:69:64:6D:2E:6C:61:62:2E:65:6E:67: 2E:72:64:75:2E:72:65:64:68:61:74:2E:63:6F:6D:3A: 38:30:38:30:2F:63:61:2F:6F:63:73:70 Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key Agreement Identifier: Extended Key Usage: - 2.5.29.37 Critical: no Extended Key Usage: 1.3.6.1.5.5.7.3.2 1.3.6.1.5.5.7.3.4 Signature: Algorithm: SHA256withEC - 1.2.840.10045.4.3.2 Signature: 30:45:02:20:50:17:25:DA:05:E3:64:11:29:F8:71:05: 6C:86:77:7D:DE:0C:F5:53:6C:B9:22:90:F9:C8:83:7C: 82:13:44:93:02:21:00:E5:0C:3B:2B:E5:FB:92:32:8B: 83:21:B5:5B:EA:94:4F:53:5F:E2:51:65:C2:F2:12:2C: 1D:BB:19:65:0C:FC:FA FingerPrint MD2: 88:C5:3B:B8:F5:F1:DF:E7:54:95:55:8D:C8:74:2B:36 MD5: AF:57:A8:99:39:CE:EA:07:63:B7:01:C9:DC:6E:83:0A SHA-1: 50:38:66:44:ED:41:25:FF:D3:D1:19:3F:D9:A5:CB:24: 5E:A7:7E:49 SHA-256: 4A:F9:BA:68:5F:6A:7D:66:02:C1:2A:CD:AF:EB:B3:C1: D8:77:5B:96:89:A0:07:65:1C:42:07:87:46:4F:1C:CF SHA-512: E5:F9:37:C2:F7:B1:12:67:3D:99:65:FF:A8:73:19:8C: BB:5D:8F:D0:49:9D:66:97:57:E1:12:5C:69:6D:CE:56: D8:C8:7A:19:92:4A:2B:02:60:22:15:D7:25:16:C7:04: 46:68:CC:C6:3F:F0:7B:C9:71:D6:22:E0:3F:CF:34:B5 Certificate: Data: Version: v3 Serial Number: 0x8C182B5 Signature Algorithm: SHA256withEC - 1.2.840.10045.4.3.2 Issuer: CN=CA Signing Certificate,OU=rhcs94-CA-ECC-ssidhaye,O=Example-rhcs94-CA Validity: Not Before: Wednesday, November 14, 2018 3:25:56 AM EST America/New_York Not After: Sunday, November 14, 2038 3:25:56 AM EST America/New_York Subject: CN=CA Signing Certificate,OU=rhcs94-CA-ECC-ssidhaye,O=Example-rhcs94-CA Subject Public Key Info: Algorithm: EC - 1.2.840.10045.2.1 Public Key: 04:E8:9E:CC:20:C3:87:95:85:05:EF:F3:FA:D4:E4:61: 89:C4:04:AA:49:BE:35:25:B5:5C:5D:F9:03:B1:3A:BA: 28:E4:AF:C7:53:11:5F:D5:03:E4:29:1D:25:84:63:D3: 67:98:89:0C:D2:9B:09:5D:DD:21:31:55:3D:47:08:7F: F3 Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 56:62:BA:AC:E1:81:BD:90:A7:98:AA:E9:5E:B6:F2:0B: 48:79:BE:5E Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key CertSign Crl Sign Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 56:62:BA:AC:E1:81:BD:90:A7:98:AA:E9:5E:B6:F2:0B: 48:79:BE:5E Identifier: 1.3.6.1.5.5.7.1.1 Critical: no Value: 30:4A:30:48:06:08:2B:06:01:05:05:07:30:01:86:3C: 68:74:74:70:3A:2F:2F:63:73:71:61:34:2D:67:75:65: 73:74:30:31:2E:69:64:6D:2E:6C:61:62:2E:65:6E:67: 2E:72:64:75:2E:72:65:64:68:61:74:2E:63:6F:6D:3A: 38:30:38:30:2F:63:61:2F:6F:63:73:70 Signature: Algorithm: SHA256withEC - 1.2.840.10045.4.3.2 Signature: 30:46:02:21:00:F4:73:FC:5A:EB:B6:44:BF:CB:A4:EE: 06:53:B3:BB:97:47:F7:E9:A5:7A:37:20:74:66:5A:C7: 06:B3:B6:34:4A:02:21:00:83:FE:F5:F3:2D:16:60:D5: 6E:BC:95:E6:3A:7F:69:E5:67:BB:46:8A:7B:0F:1E:9C: 89:25:CE:C6:26:9B:85:F8 FingerPrint MD2: 99:6F:3A:6E:96:A8:62:09:3A:A3:72:F7:79:E4:B2:9A MD5: C7:81:20:93:3D:79:0D:84:43:B6:A6:22:47:1D:6C:56 SHA-1: 21:7F:B6:B1:6D:28:D2:4C:43:41:B3:8D:46:4B:1E:CB: 92:59:8C:CB SHA-256: 60:F2:7C:E1:67:70:9B:32:A8:99:5C:3F:1D:E5:BE:2B: 79:CD:F8:0E:2B:3E:CA:63:29:9A:D2:E1:EB:DA:49:C5 SHA-512: D7:BC:AF:6D:65:AA:C6:03:7D:E2:C5:46:DE:5F:48:8C: 1D:68:8D:27:AF:AA:90:84:87:BB:50:EC:41:56:B6:24: 9A:57:90:24:36:93:7A:43:EA:BD:D1:2A:22:25:CF:7F: 57:22:1C:47:25:84:02:B0:08:AD:85:70:4C:FE:90:AA Number of controls is 1 Control #0: CMCStatusInfoV2 OID: {1 3 6 1 5 5 7 7 25} BodyList: 1 Status: SUCCESS CMC Full Response Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0168 |