Bug 2068935

Summary: MIT krb5 client does not set "supportedCMSTypes" for pkinit and therefore Heimdal KDC uses SHA1 for CMS signature
Product: Red Hat Enterprise Linux 9 Reporter: Filip Dvorak <fdvorak>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Filip Dvorak <fdvorak>
Severity: medium Docs Contact: Filip Hanzelka <fhanzelk>
Priority: high    
Version: 9.0CC: dvozenil, fdvorak, fhanzelk, pasik
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.19.1-22.el9 Doc Type: Bug Fix
Doc Text:
.PKINIT user authentication now works correctly in the RHEL 9 Kerberos client - Heimdal KDC scenario Previously, the PKINIT authentication of an IdM user on a RHEL 9 Kerberos client against the Heimdal Kerberos Distribution Center (KDC) failed. This failure occurred because the Kerberos client did not support the `supportedCMSTypes` field required in the context of the deprecation of the SHA-1 algorithm in RHEL 9. With this update, the RHEL 9 Kerberos client sends a list of signature algorithms including `sha512WithRSAEncryption`, and `sha256WithRSAEncryption` as `supportedCMSTypes` during PKINIT to Heimdal KDC. Heimdal KDC uses `sha512WithRSAEncryption` and, as a result, PKINIT authentication works correctly.
 Story Points: ---
Clone Of:
: 2114766 (view as bug list) Environment:
Last Closed: 2022-11-15 11:11:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2027125    
Bug Blocks: 2106296, 2114766    

Description Filip Dvorak 2022-03-27 18:27:34 UTC 
Description of problem:
The following test "/Sanity/heimdal-sanity/" failed when the MIT client try to do PKINIT with Heimdal KDC. 

The problem is that MIT krb5 does not set "supportedCMSTypes" for PKINIT and as a result, the Heimdall sets signature algorithm which uses SHA1.
https://github.com/heimdal/heimdal/blob/heimdal-7.7.0/kdc/pkinit.c#L759

The possible solution:
1  Modify Heimdal to use SHA-2 in case supportedCMSTypes is not provided by the client
2. Add "supportedCMSTypes" support into MIT krb5

Version-Release number of selected component (if applicable):
openssl-3.0.1-20.el9_0.x86_64
krb5-server-1.19.1-15.el9_0.x86_64
heimdal-server-7.7.0-6.x86_64
crypto-policies=DEFAULT

How reproducible:
always

Steps to Reproduce:
1. Install Heimdal KDC
   kstash --random-key
   heimdal-kadmin --local init --realm-max-ticket-life=unlimited --realm-max-renewable-life=unlimited TEST.REDHAT.COM
   heimdal-kadmin --realm=TEST.REDHAT.COM --local add --password=alice --max-ticket-life=1d --max-renewable-life=1w --expiration-time=never --pw-expiration-time=never --policy=default --attributes=  alice.COM
   Generate certificates for client and KDC with the help of this script:
   https://gitlab.cee.redhat.com/identity-management/krb5-tests/-/blob/RHEL9.0/tests/Sanity/pkinit-sanity/make_pkinit_cert.sh 
   ./make_pkinit_cert.sh ca ca
    server certs:
   ./make_pkinit_cert.sh kdc kdc CA=ca CN=$HostName REALM=TEST.REDHAT.COM CLIENT=$HostName
   client certs:
   ./make_pkinit_cert.sh client $krb5User CA=ca CN=$krb5User"
   ./make_pkinit_cert.sh client-sign $krb5User CA=ca CN=$krb5User REALM=TEST.REDHAT.COM CLIENT=$krb5User"
  
add pkinit options into heimdal-kdc.conf
      pkinit_identity = FILE:/tmp/kdc.pem,/tmp/kdckey.pem
      pkinit_anchors = FILE:/tmp/cacert.pem
   systemctl start heimdal-kdc

heimdal-kdc.conf:

[kdc]
  allow-anonymous = yes
  pkinit_identity = FILE:/tmp/kdc.pem,/tmp/kdckey.pem
  pkinit_anchors = FILE:/tmp/cacert.pem
  enable-pkinit = yes
  enable-http = true

[kadmin]
  require-preauth = true

2. Set MIT krb5
   sed -i "s/\[libdefaults\]/[libdefaults]\n default_realm = TEST.REDHAT.COM/" /etc/krb5.conf
   sed -i "s/\[realms\]/[realms]\n TEST.REDHAT.COM = {\n  kdc = $KDC_HostName\n  admin_server = $KDC_HostName\n }/" /etc/krb5.conf
   sed -i "s/\[domain_realm\]/[domain_realm]\n .$KDC_DomainName = TEST.REDHAT.COM\n $DKC_DomainName = TEST.REDHAT.COM/" /etc/krb5.conf

3. try kinit alice.COM (with -X parameters: X509_user_identity=FILE:/tmp/alice,pem,X509_anchors=FILE:/tmp/ca.pem) or anonymous pkinit

Actual results:
# kinit -n'
[8501] 1648404167.147255: Matching WELLKNOWN/ANONYMOUS.COM in collection with result: -1765328243/Can't find client principal WELLKNOWN/ANONYMOUS.COM in cache collection
[8501] 1648404167.147256: Getting initial credentials for WELLKNOWN/ANONYMOUS.COM
[8501] 1648404167.147258: Sending unauthenticated request
[8501] 1648404167.147259: Sending request (213 bytes) to TEST.REDHAT.COM
...
[8501] 1648404167.147288: Sending DNS URI query for _kerberos.TEST.REDHAT.COM.
[8501] 1648404167.147289: No URI records found
[8501] 1648404167.147290: Sending DNS SRV query for _kerberos-master._udp.TEST.REDHAT.COM.
[8501] 1648404167.147291: Sending DNS SRV query for _kerberos-master._tcp.TEST.REDHAT.COM.
[8501] 1648404167.147292: No SRV records found
[8501] 1648404167.147293: Response was not from primary KDC
[8501] 1648404167.147294: Processing preauth types: PA-PK-AS-REP (17), PA-PKINIT-KX (147)
[8501] 1648404167.147295: Preauth module pkinit (147) (info) returned: 0/Success
[8501] 1648404167.147296: PKINIT OpenSSL error: Failed to verify CMS message
[8501] 1648404167.147297: PKINIT OpenSSL error: error:1700006B:CMS routines::content type not enveloped data
[8501] 1648404167.147298: PKINIT OpenSSL error: error:03000098:digital envelope routines::invalid digest
[8501] 1648404167.147299: PKINIT client could not verify DH reply
[8501] 1648404167.147300: Preauth module pkinit (17) (real) returned: -1765328320/Failed to verify CMS message: content type not enveloped data
[8501] 1648404167.147301: Produced preauth for next request: (empty)
[8501] 1648404167.147302: Salt derived from principal: WELLKNOWN:ANONYMOUSWELLKNOWNANONYMOUS
[8501] 1648404167.147303: Getting AS key, salt "WELLKNOWN:ANONYMOUSWELLKNOWNANONYMOUS", params "\x00\x00\x10\x00"
Password for WELLKNOWN/ANONYMOUS.COM: 
[8501] 1648404193.258727: AS key obtained from gak_fct: aes256-cts/39D4
[8501] 1648404193.258728: Retrying AS request with primary KDC
[8501] 1648404193.258729: Getting initial credentials for WELLKNOWN/ANONYMOUS.COM
[8501] 1648404193.258731: Sending unauthenticated request
[8501] 1648404193.258732: Sending request (213 bytes) to TEST.REDHAT.COM (primary)
[8501] 1648404193.258733: Sending DNS URI query for _kerberos.TEST.REDHAT.COM.
[8501] 1648404193.258734: No URI records found
[8501] 1648404193.258735: Sending DNS SRV query for _kerberos-master._udp.TEST.REDHAT.COM.
[8501] 1648404193.258736: Sending DNS SRV query for _kerberos-master._tcp.TEST.REDHAT.COM.
[8501] 1648404193.258737: No SRV records found
kinit: Password incorrect while getting initial credentials

Expected results:
kinit -n or kinit <user> with pkinit should pass

Additional info:
It works with DEFAULT:SHA1 crypto-policy
Comment 1 Julien Rische 2022-03-28 06:55:54 UTC 
The switch to SHA-256 as default digest algorithm in Heimdal[1] is not effective in practice for Kerberos clients which are not implementing algorithm agility for CMS. I think the current Heimdal implementation makes sense for backward compatibility, and setting the "supportedCMSTypes" field in MIT krb5 should be the way to go.

Until this is implemented, I am afraid RHEL9 clients have to enable SHA1 crypto sub-policy if they are authenticating against Heimdal KDC using PKINIT.

[1] https://github.com/heimdal/heimdal/commit/c4c71cc41a2763a23867c7c6a041d1f4f1ebcbf7
Comment 7 Julien Rische 2022-05-31 08:42:26 UTC 
To be more precise, the Heimdal KDC expects the attribute "supportedCMSTypes" to be set[1]. If not it falls back to one of these ciphers:

* des-ede3-cbc
* sha1-with-rsa-signature
* sha-1

All of them being unavailable on RHEL9.

[1] https://github.com/heimdal/heimdal/blob/heimdal-7.7.0/kdc/pkinit.c#L759-L776
Comment 8 Julien Rische 2022-05-31 10:32:28 UTC 
According to RFC4556[1], the PKINIT client can either indicate supported CMS ciphers as etypes in the AS-REQ, or as OIDs in the "supportedCMSTypes" attribute of the AuthPack. All the available etypes for the first method are now referring to deprecated algorithms, hence the only way to advertise recent ciphers it to use "supportedCMSTypes".

This is actually what MIT krb5 is supposed to do because CMS-dedicated etypes are not used at all[2]. The "supportedCMSTypes" attribute is actually set in upstream project, but this section of the code was removed[3] in C9S/RHEL release because it was only populated with DES OID. A better approach would be to replace DES, by SHA2-based ciphers. This would allow proper integration with Heimdal.

[1] https://datatracker.ietf.org/doc/html/rfc4556#section-3.1.4
[2] https://github.com/krb5/krb5/blob/krb5-1.20-final/src/include/krb5/krb5.hin#L427-L433
[3] https://gitlab.com/redhat/centos-stream/rpms/krb5/-/blob/c9s/downstream-Remove-3des-support.patch#L5786-5793
Comment 9 Julien Rische 2022-06-01 13:29:56 UTC 
I have successfully run the test with heimdal-7.7.0-11.fc36 on RHEL-9.1.0-20220531.0 using a scratch build[1] using SHA-256 and SHA-512 as supportedCMSTypes.

I think this fix should be implemented upstream to replace DES3[2] by SHA-2, or at least implement a CMS digest list that would be more flexible to configure.

[1] http://brew-task-repos.usersys.redhat.com/repos/scratch/jrische/krb5/1.19.1/21.bz2068935.1.el9_0/x86_64/
[2] https://github.com/krb5/krb5/blob/krb5-1.20-final/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c#L5495
Comment 10 Julien Rische 2022-06-01 20:28:28 UTC 
Pull request:
https://github.com/krb5/krb5/pull/1254
Comment 11 Julien Rische 2022-07-01 10:21:27 UTC 
The following points were raised in the pull request[1]:

* The current upstream implementation set "supportedCMSTypes" with an algorithm which is unsupported by Heimdal, resulting in default digest and signature algorithms (sha256 and sha256WithRSAEncryption) being selected. Hence, the SHA-1 signature verification issue does not occur with upstream version.

* Under strict interpretation of RFC 4556 section 3.2.1 step 5[2], only signature algorithm OIDs are allowed in "supportedCMSTypes" (not digest algorithms).

* Test showed that AD is ignoring the content or "suuportedCMSTypes". Also, AD KDC does not support SHA2-based algorithms. Removing dependency on SHA-1 for AD interoperability would require implementing RFC 5349 (ECC for PKINIT)[3].

* Heimdal and OpenSSL are implementing the verification of CMS data signature in incompatible ways: OpenSSL seems to only be looking at the digest algorithm, not taking the signature one into account. As a consequence, when they are not relying on the same hashing algorithm (e.g. sha512 as digest and sha256WithRSAEncryption as signature), verification fails because the signature is compared to a different type of digest.

[1] https://github.com/krb5/krb5/pull/1254
[2] https://www.rfc-editor.org/rfc/rfc4556.html#page-12
[3] https://www.rfc-editor.org/rfc/rfc5349.html
[4] https://github.com/openssl/openssl/blob/openssl-3.0.1/crypto/cms/cms_sd.c#L788
[5] https://github.com/openssl/openssl/blob/openssl-3.0.1/crypto/cms/cms_sd.c#L963
Comment 12 Julien Rische 2022-07-06 12:15:38 UTC 
Postponed again because the CMS incompatibility issue is being discussed with Heimdal and OpenSSL teams:

https://github.com/heimdal/heimdal/issues/1000
https://github.com/openssl/openssl/issues/18729
Comment 30 errata-xmlrpc 2022-11-15 11:11:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (krb5 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8271