Bug 1632615

Summary: Permit certain SHA384 FIPS ciphers to be enabled by default for RSA and ECC . . . [rhel-7.6.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.6CC: aakkiang, cfu, cpelland, lmiksik, mharmsen, mjahoda, msauton, ssidhaye, toneata
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.9-7.el7_6 Doc Type: No Doc Update
Doc Text:
This patch adds SHA384 ciphers into the default cipher lists for both RSA and ECC.
Story Points: ---
Clone Of: 1554055 Environment:
Last Closed: 2019-01-29 17:21:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1554055    
Bug Blocks:    

Description Oneata Mircea Teodor 2018-09-25 08:43:51 UTC
This bug has been copied from bug #1554055 and has been proposed to be backported to 7.6 z-stream (EUS).

Comment 2 Matthew Harmsen 2018-10-26 22:54:05 UTC
Test Procedure

See https://bugzilla.redhat.com/show_bug.cgi?id=1554055#c11

Comment 4 Sumedh Sidhaye 2018-11-14 07:28:10 UTC
Build used for verification:

root@csqa4-guest01 hsm_setup # rpm -qi pki-base
Name        : pki-base
Version     : 10.5.9
Release     : 7.el7_6


Installation with RSA for CA and KRA with only SHA384 ciphers succeeded

Key archival succeeded:

root@csqa4-guest01 hsm_setup # pki -d /tmp/nssdb/ -c SECret.123 client-cert-request CN=foo1 --profile caSigningUserCert --type crmf
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 14
  Type: enrollment
  Request Status: pending
  Operation Result: success

root@csqa4-guest01 hsm_setup # pki -d /tmp/nssdb/ -c SECret.123 -n "PKI CA Administrator for rhcs94-CA-ssidhaye" cert-request-review 14 --action approve
-------------------------------
Approved certificate request 14
-------------------------------
  Request ID: 14
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0x553d6d1


root@csqa4-guest01 hsm_setup # pki -d /tmp/nssdb/ -c SECret.123 -p 20080 -n "PKI KRA Administrator rhcs94-KRA-ssidhaye" kra-key-find
----------------
1 key(s) matched
----------------
  Key ID: 0x1
  Algorithm: 1.2.840.113549.1.1.1
  Size: 1024
  Owner: CN=foo1
----------------------------
Number of entries returned 1
----------------------------

Comment 5 Sumedh Sidhaye 2018-11-14 08:59:28 UTC
Installation with ECC for CA and KRA with only SHA384 ciphers succeeded

Followed instructions from 
https://www.dogtagpki.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Agent-signed_EC_cmc_request

successfully submitted agent-signed CMC request

root@csqa4-guest01 ecc_working_cfgs # CMCResponse -d nssdb/ -i cmc.role_p10-ec.resp
Certificates: 
    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x8908A9B
            Signature Algorithm: SHA256withEC - 1.2.840.10045.4.3.2
            Issuer: CN=CA Signing Certificate,OU=rhcs94-CA-ECC-ssidhaye,O=Example-rhcs94-CA
            Validity: 
                Not Before: Wednesday, November 14, 2018 3:54:46 AM EST America/New_York
                Not  After: Monday, May 13, 2019 3:54:46 AM EDT America/New_York
            Subject: CN=testuserEC
            Subject Public Key Info: 
                Algorithm: EC - 1.2.840.10045.2.1
                Public Key: 
                    04:87:2B:D5:7E:8A:87:B0:15:2E:C4:FE:D6:E5:A5:F8:
                    53:42:05:AB:37:1C:35:A8:BF:6A:5F:6C:01:D2:7B:05:
                    C7:C0:B3:99:AB:3B:7C:4B:6C:4C:F7:8B:04:28:07:C1:
                    BF:D2:1A:EA:69:31:52:B4:07:52:3D:9A:99:B9:E7:BA:
                    0E
            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        56:62:BA:AC:E1:81:BD:90:A7:98:AA:E9:5E:B6:F2:0B:
                        48:79:BE:5E
                Identifier: 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Value: 
                        30:4A:30:48:06:08:2B:06:01:05:05:07:30:01:86:3C:
                        68:74:74:70:3A:2F:2F:63:73:71:61:34:2D:67:75:65:
                        73:74:30:31:2E:69:64:6D:2E:6C:61:62:2E:65:6E:67:
                        2E:72:64:75:2E:72:65:64:68:61:74:2E:63:6F:6D:3A:
                        38:30:38:30:2F:63:61:2F:6F:63:73:70
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key Agreement 
                Identifier: Extended Key Usage: - 2.5.29.37
                    Critical: no 
                    Extended Key Usage: 
                        1.3.6.1.5.5.7.3.2
                        1.3.6.1.5.5.7.3.4
        Signature: 
            Algorithm: SHA256withEC - 1.2.840.10045.4.3.2
            Signature: 
                30:45:02:20:50:17:25:DA:05:E3:64:11:29:F8:71:05:
                6C:86:77:7D:DE:0C:F5:53:6C:B9:22:90:F9:C8:83:7C:
                82:13:44:93:02:21:00:E5:0C:3B:2B:E5:FB:92:32:8B:
                83:21:B5:5B:EA:94:4F:53:5F:E2:51:65:C2:F2:12:2C:
                1D:BB:19:65:0C:FC:FA
        FingerPrint
            MD2:
                88:C5:3B:B8:F5:F1:DF:E7:54:95:55:8D:C8:74:2B:36
            MD5:
                AF:57:A8:99:39:CE:EA:07:63:B7:01:C9:DC:6E:83:0A
            SHA-1:
                50:38:66:44:ED:41:25:FF:D3:D1:19:3F:D9:A5:CB:24:
                5E:A7:7E:49
            SHA-256:
                4A:F9:BA:68:5F:6A:7D:66:02:C1:2A:CD:AF:EB:B3:C1:
                D8:77:5B:96:89:A0:07:65:1C:42:07:87:46:4F:1C:CF
            SHA-512:
                E5:F9:37:C2:F7:B1:12:67:3D:99:65:FF:A8:73:19:8C:
                BB:5D:8F:D0:49:9D:66:97:57:E1:12:5C:69:6D:CE:56:
                D8:C8:7A:19:92:4A:2B:02:60:22:15:D7:25:16:C7:04:
                46:68:CC:C6:3F:F0:7B:C9:71:D6:22:E0:3F:CF:34:B5
    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x8C182B5
            Signature Algorithm: SHA256withEC - 1.2.840.10045.4.3.2
            Issuer: CN=CA Signing Certificate,OU=rhcs94-CA-ECC-ssidhaye,O=Example-rhcs94-CA
            Validity: 
                Not Before: Wednesday, November 14, 2018 3:25:56 AM EST America/New_York
                Not  After: Sunday, November 14, 2038 3:25:56 AM EST America/New_York
            Subject: CN=CA Signing Certificate,OU=rhcs94-CA-ECC-ssidhaye,O=Example-rhcs94-CA
            Subject Public Key Info: 
                Algorithm: EC - 1.2.840.10045.2.1
                Public Key: 
                    04:E8:9E:CC:20:C3:87:95:85:05:EF:F3:FA:D4:E4:61:
                    89:C4:04:AA:49:BE:35:25:B5:5C:5D:F9:03:B1:3A:BA:
                    28:E4:AF:C7:53:11:5F:D5:03:E4:29:1D:25:84:63:D3:
                    67:98:89:0C:D2:9B:09:5D:DD:21:31:55:3D:47:08:7F:
                    F3
            Extensions: 
                Identifier: Authority Key Identifier - 2.5.29.35
                    Critical: no 
                    Key Identifier: 
                        56:62:BA:AC:E1:81:BD:90:A7:98:AA:E9:5E:B6:F2:0B:
                        48:79:BE:5E
                Identifier: Basic Constraints - 2.5.29.19
                    Critical: yes 
                    Is CA: yes 
                    Path Length Constraint: UNLIMITED
                Identifier: Key Usage: - 2.5.29.15
                    Critical: yes 
                    Key Usage: 
                        Digital Signature 
                        Non Repudiation 
                        Key CertSign 
                        Crl Sign 
                Identifier: Subject Key Identifier - 2.5.29.14
                    Critical: no 
                    Key Identifier: 
                        56:62:BA:AC:E1:81:BD:90:A7:98:AA:E9:5E:B6:F2:0B:
                        48:79:BE:5E
                Identifier: 1.3.6.1.5.5.7.1.1
                    Critical: no 
                    Value: 
                        30:4A:30:48:06:08:2B:06:01:05:05:07:30:01:86:3C:
                        68:74:74:70:3A:2F:2F:63:73:71:61:34:2D:67:75:65:
                        73:74:30:31:2E:69:64:6D:2E:6C:61:62:2E:65:6E:67:
                        2E:72:64:75:2E:72:65:64:68:61:74:2E:63:6F:6D:3A:
                        38:30:38:30:2F:63:61:2F:6F:63:73:70
        Signature: 
            Algorithm: SHA256withEC - 1.2.840.10045.4.3.2
            Signature: 
                30:46:02:21:00:F4:73:FC:5A:EB:B6:44:BF:CB:A4:EE:
                06:53:B3:BB:97:47:F7:E9:A5:7A:37:20:74:66:5A:C7:
                06:B3:B6:34:4A:02:21:00:83:FE:F5:F3:2D:16:60:D5:
                6E:BC:95:E6:3A:7F:69:E5:67:BB:46:8A:7B:0F:1E:9C:
                89:25:CE:C6:26:9B:85:F8
        FingerPrint
            MD2:
                99:6F:3A:6E:96:A8:62:09:3A:A3:72:F7:79:E4:B2:9A
            MD5:
                C7:81:20:93:3D:79:0D:84:43:B6:A6:22:47:1D:6C:56
            SHA-1:
                21:7F:B6:B1:6D:28:D2:4C:43:41:B3:8D:46:4B:1E:CB:
                92:59:8C:CB
            SHA-256:
                60:F2:7C:E1:67:70:9B:32:A8:99:5C:3F:1D:E5:BE:2B:
                79:CD:F8:0E:2B:3E:CA:63:29:9A:D2:E1:EB:DA:49:C5
            SHA-512:
                D7:BC:AF:6D:65:AA:C6:03:7D:E2:C5:46:DE:5F:48:8C:
                1D:68:8D:27:AF:AA:90:84:87:BB:50:EC:41:56:B6:24:
                9A:57:90:24:36:93:7A:43:EA:BD:D1:2A:22:25:CF:7F:
                57:22:1C:47:25:84:02:B0:08:AD:85:70:4C:FE:90:AA


Number of controls is 1
Control #0: CMCStatusInfoV2
   OID: {1 3 6 1 5 5 7 7 25}
   BodyList: 1 
   Status: SUCCESS
CMC Full Response

Comment 7 errata-xmlrpc 2019-01-29 17:21:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0168