Bug 2077450

Summary: [RFE] Infer PKINIT CMS data digest from supportedCMSTypes
Product: Red Hat Enterprise Linux 9 Reporter: Ivan Nikolchev <inikolch>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED MIGRATED QA Contact: Michal Polovka <mpolovka>
Severity: unspecified Docs Contact: Filip Hanzelka <fhanzelk>
Priority: unspecified    
Version: 9.0CC: asosedki, frenaud, gfialova, jjelen, jrische, lkuprova, mhavrila, mjahoda
Target Milestone: rcKeywords: FutureFeature, MigratedToJIRA, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent communicates with a non-RHEL-9 and non-AD Kerberos agent If a RHEL 9 Kerberos agent, either a client or Kerberos Distribution Center (KDC), interacts with a non-RHEL-9 Kerberos agent that is not an Active Directory (AD) agent, the PKINIT authentication of the user fails. To work around the problem, perform one of the following actions: * Set the RHEL 9 agent's crypto-policy to `DEFAULT:SHA1` to allow the verification of SHA-1 signatures: + ---- # update-crypto-policies --set DEFAULT:SHA1 ---- * Update the non-RHEL-9 and non-AD agent to ensure it does not sign CMS data using the SHA-1 algorithm. For this, update your Kerberos client or KDC packages to the versions that use SHA-256 instead of SHA-1: ** CentOS 9 Stream: krb5-1.19.1-15 ** RHEL 8.7: krb5-1.18.2-17 ** RHEL 7.9: krb5-1.15.1-53 ** Fedora Rawhide/36: krb5-1.19.2-7 ** Fedora 35/34: krb5-1.19.2-3 As a result, the PKINIT authentication of the user works correctly. Note that for other operating systems, it is the krb5-1.20 release that ensures that the agent signs CMS data with SHA-256 instead of SHA-1. See also xref:BZ-2060798[].
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-18 19:02:22 UTC Type: Story
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2027125, 2106043, 2214326    
Attachments:
Description Flags
sssd logs and conf file none

Description Ivan Nikolchev 2022-04-21 12:04:26 UTC 
Created attachment 1874060 [details]
sssd logs and conf file

Description of problem:
When trying to authenticate with an IPA user using smart card, the authentication fails. 

For testing I'm using RHEL9 client that authenticates against a RHEL8 IPA server. And I'm using virtual smart cards(virt_cacard) and opensc as PKCS#11 module to do the testing.

The failures only occur when I'm using DEFAULT crypto-policies(I'm assuming it is the same in FUTURE), but authentication works in LEGACY mode, so it looks like the issue is somehow related to the openssl changes in RHEL9.

I will attach couple of logs from /var/log/sssd/ that I think might be helpful, please tell me if you need anything else.


Version-Release number of selected component (if applicable):
krb5-libs-1.19.1-15.el9_0.x86_64
krb5-pkinit-1.19.1-15.el9_0.x86_64
krb5-workstation-1.19.1-15.el9_0.x86_64
Comment 4 Julien Rische 2022-05-18 14:44:59 UTC 
This error is due to the fact the KDC used in this setup is running on RHEL 8.5. Hence, it hasn't been patched to use SHA-2 for CMS signature instead (SHA-1 signature verification being blocked by DEFAULT crypto-policy on RHEL9).

We thought the SHA-1 issue was affecting anonymous PKINIT only but this error, and the further tests I did with certificate files and softhsm2 virtual smartcards are showing this actually affects all use cases of PKINIT.

The fix we provided for bug 2066316 resolves this issue too, but we should make clear in the documentation and release notes that in case a RHEL9 Kerberos agent interacts with another non-patched agent (regardless of which one is client or KDC) one of the following action should be taken:

* Set RHEL9 agent's crypto-policy to DEFAULT:SHA1 (to allow verification of SHA-1 signatures)
* Update the non-RHEL9 agent to be sure it won't sign CMS messages using SHA-1. Here are versions providing this fix:
    * RHEL 9    krb5-1.19.1-15
    * RHEL 8.7  krb5-1.18.2-17
    * RHEL 7.9  krb5-1.15.1-53
    * Fedora 36/Rawhide krb5-1.19.2-7
    * Fedora 35/34      krb5-1.19.2-3

The main reason why this fix has to be applied on all agents it that the current implementation for CMS signature does not pick the best possible digest cipher for the key being, used similarly to what Heimdal is doing[1]. In MIT krb5, the digest algorithm is hard-coded[2] making the switch difficult, especially when the algorithm in question is deprecated and even blocked in some environments (in the present case RHEL9).

What we can do at this point to keep such issues to happen again in the future, is to implement proper algorithm deduction based on source agent information provided. In the case of CMS data, using the "supportedCMSTypes" attribute, which was introduced in RFC8636[3] attribute. This incomplete implementation was already reported to cause integration issues with Heimdal in bug 2068935.

[1] https://github.com/heimdal/heimdal/blob/master/lib/hx509/crypto.c#L2646-L2649
[2] https://github.com/krb5/krb5/blob/krb5-1.19.3-final/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c#L1230
[3] https://datatracker.ietf.org/doc/html/rfc8636.html#page-10
Comment 26 Julien Rische 2023-02-01 09:32:40 UTC 
This ticket is actually a RFE: for PKINIT CMS data digest, MIT krb5 always uses SHA-256. Infer the digest algorithm from the "supportedCMSTypes" attribute would simplify integration with other Kerberos clients and servers, and avoid the necessity to explicitly upgrade to a stronger algorithm in the future.
Comment 32 RHEL Program Management 2023-09-18 18:57:18 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 33 RHEL Program Management 2023-09-18 19:02:22 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.