Bug 2062822

Summary: openssl-3.0.1-14.el9 creates invalid RSA PKCS1v1.5 SHA-1 signature [rhel-9.1.0]
Product: Red Hat Enterprise Linux 9 Reporter: RHEL Program Management Team <pgm-rhel-tools>
Component: python-cryptographyAssignee: Christian Heimes <cheimes>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: cllang, dbelyavs, frenaud, lmiksik, myusuf, ssidhaye, sumenon
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-cryptography-36.0.1-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2060343 Environment:
Last Closed: 2022-11-15 10:10:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2060343, 2060787    
Bug Blocks:    

Comment 7 Sumedh Sidhaye 2022-04-24 12:46:01 UTC 
Verification using latest RHEL 9.1 nightly compose

[root@ci-vm-10-0-139-235 ~]# rpm -qi python3-cryptography
Name        : python3-cryptography
Version     : 36.0.1
Release     : 2.el9
Architecture: x86_64
Install Date: Sun 24 Apr 2022 08:31:36 AM EDT
Group       : Unspecified
Size        : 4760969
License     : ASL 2.0 or BSD
Signature   : RSA/SHA256, Tue 19 Apr 2022 09:17:06 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : python-cryptography-36.0.1-2.el9.src.rpm
Build Date  : Tue 19 Apr 2022 07:52:44 AM EDT
Build Host  : x86-vm-54.build.eng.bos.redhat.com
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://cryptography.io/en/latest/
Summary     : PyCA's cryptography library
Description :
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
[root@ci-vm-10-0-139-235 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.1 Beta (Plow)
[root@ci-vm-10-0-139-235 ~]# rpm -q --changelog python3-cryptography
* Tue Apr 19 2022 Christian Heimes <cheimes> - 36.0.1-2
- Rebuild for gating, related: rhbz#2060787

* Fri Mar 04 2022 Christian Heimes <cheimes> - 36.0.1-6
- Rebase to 36.0.1, related: rhbz#2059630, rhbz#2060787
- OpenSSL 3.0 FIPS mode is now detected correctly, related: rhbz#2054785
- Fix error check from EVP_PKEY_CTX_set_signature_md, related: rhbz#2060343
- Block 3DES in FIPS mode, related: rhbz#2055209
- Disable DSA tests in FIPS mode
- Enable SHA1 signatures in test suite
- Fix serialization of keyusage ext with no bits
- Re-enable tests that are passing again

[root@ci-vm-10-0-139-235 ~]# python
Python 3.9.10 (main, Feb  9 2022, 00:00:00) 
[GCC 11.2.1 20220127 (Red Hat 11.2.1-9)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from cryptography.hazmat.backends.openssl import backend
>>> backend._is_fips_enabled()
False
>>> from cryptography.hazmat.primitives.asymmetric import rsa
>>> from cryptography.hazmat.primitives import hashes
>>> from cryptography.hazmat.primitives.asymmetric import padding
>>> private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
>>> private_key.sign(b"message", padding.PKCS1v15(), hashes.SHA1())
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 501, in sign
    return _rsa_sig_sign(self._backend, padding, algorithm, self, data)
  File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 244, in _rsa_sig_sign
    pkey_ctx = _rsa_sig_setup(
  File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 213, in _rsa_sig_setup
    raise UnsupportedAlgorithm(
cryptography.exceptions.UnsupportedAlgorithm: sha1 is not supported by this backend for RSA signing.
>>> 

[root@ci-vm-10-0-139-235 ~]# sysctl crypto.fips_enabled
crypto.fips_enabled = 0
[root@ci-vm-10-0-139-235 ~]#
Comment 9 errata-xmlrpc 2022-11-15 10:10:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (python-cryptography bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8015