Bug 1898641

Summary: Need to add new signature algorithms for NSS.
Product: [Fedora] Fedora Reporter: Bob Relyea <rrelyea>
Component: crypto-policiesAssignee: Alexander Sosedkin <asosedki>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 34CC: asosedki, crypto-team, dueno, lef, n.mavrogiannopoulos, ssorce, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: crypto-policies-20210118-1.gitb21c811 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-11 16:13:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Add rsa-pss, rsa-pkcs, and ecdsa to the nss policies. none

Description Bob Relyea 2020-11-17 17:51:36 UTC 
Upstream NSS just added policy support for rsa-pkcs, rsa-pss, and ecdsa as signature algorithms in NSS 3.59. crypto policies needs to add maps from the signature values to these new algorithm types. Without these new algorithms, rsa signatures will break when policies are installed.

The challenge is we can't add these to crypto policies before NSS updates because nss-check-policy will fail (we really need to have an option for nss-check-policy to allow *NEW* unknown policies (sigh)).

Anywaythe NSS 3.59 update needs to be coordinated with crypto policies.
Comment 1 Bob Relyea 2020-11-17 18:00:28 UTC 
Created attachment 1730246 [details]
Add rsa-pss, rsa-pkcs, and ecdsa to the nss policies.

This patch also disabled acting on the results of policy check so it can be added before the new NSS is included.
Comment 4 Alexander Sosedkin 2021-01-18 18:24:07 UTC 
Upstream merge request: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/84
Comment 5 Ben Cotton 2021-02-09 15:25:28 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle.
Changing version to 34.