Bug 1664802
Summary: | httpd fails to use RSA-PSS keys and certificates on PKCS#11 device | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Stanislav Zidek <szidek> | |
Component: | openssl-pkcs11 | Assignee: | Jakub Jelen <jjelen> | |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
Priority: | medium | |||
Version: | 8.0 | CC: | ansasaki, bnater, igkioka, jjelen, jorton, lmanasko, luhliari, mjahoda, pasik, szidek, tmraz | |
Target Milestone: | rc | Keywords: | Triaged | |
Target Release: | 8.0 | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Known Issue | ||
Doc Text: |
.Apache `httpd` fails to start if it uses an RSA private key stored in a PKCS#11 device and an RSA-PSS certificate
The PKCS#11 standard does not differentiate between RSA and RSA-PSS key objects and uses the `CKK_RSA` type for both. However, OpenSSL uses different types for RSA and RSA-PSS keys. As a consequence, the `openssl-pkcs11` engine cannot determine which type should be provided to OpenSSL for PKCS#11 RSA key objects. Currently, the engine sets the key type as RSA keys for all PKCS#11 `CKK_RSA` objects. When OpenSSL compares the types of an RSA-PSS public key obtained from the certificate with the type contained in an RSA private key object provided by the engine, it concludes that the types are different. Therefore, the certificate and the private key do not match. The check performed in the `X509_check_private_key()` OpenSSL function returns an error in this scenario. The `httpd` web server calls this function in its startup process to check if the provided certificate and key match. Since this check always fails for a certificate containing an RSA-PSS public key and a RSA private key stored in the PKCS#11 module, `httpd` fails to start using this configuration. There is no workaround available for this issue.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1664807 (view as bug list) | Environment: | ||
Last Closed: | 2021-02-01 07:31:52 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1682502 | |||
Bug Blocks: |
Description
Stanislav Zidek
2019-01-09 17:02:36 UTC
This issue was set to high priority because it has no workaround and it has high impact on a small amount of users. After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. |