Bug 1710105

Summary: JSS: add RSA PSS support
Product: Red Hat Enterprise Linux 7 Reporter: Christina Fu <cfu>
Component: jssAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.9CC: aakkiang, ascheel, mharmsen, msauton, prisingh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jss-4.4.9-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1824939 (view as bug list) Environment:
Last Closed: 2020-09-29 20:00:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1824939    

Description Christina Fu 2019-05-14 21:32:23 UTC 
Description of problem:

It was discovered that Thales HSM SW12.50 when in FIPS mode does not allow PKCS1 RSA signing.  Instead, RSA PSS (Probabilistic Signature Scheme) is required.

It is important that we support both mechanisms, as not all crypto modules support PSS.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Jack Magne 2019-09-06 01:00:02 UTC 
Moving to 7.9 to have time to finish this feature more completely.
Comment 4 Jack Magne 2020-03-29 19:22:21 UTC 
Patch reviewed and checked in:


* v4.4.x    e1ee07a [ahead 1] JSS RSA-PSS support first cut.

commit e1ee07a3c19cd15d7dab1dedf383128a2b83b925
Author: root <root.lab.eng.rdu2.redhat.com>
Date:   Wed Dec 11 19:56:22 2019 -0500

    JSS RSA-PSS support first cut.
    
    Provide support for the various SHAxxxwithRSAPSS algorithms.
    
    Supprt for 256, 384, and 512 variants included.
    Included test case for SHA256withRSA/PSS.
    
    This fix also requires a corresponding fix to the pki server in
    order to exercise this functionality in the context of a pki
    ca server.
    
    Add some review suggestions.
    More review suggestions.
Comment 12 errata-xmlrpc 2020-09-29 20:00:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (jss bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3938