Bug 2155607

Summary: PKINIT: CMS SHA-1 signature verification cannot be allowed in FIPS mode
Product: Red Hat Enterprise Linux 9 Reporter: Jeremy Absher <jabsher>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Michal Polovka <mpolovka>
Severity: unspecified Docs Contact: David Voženílek <dvozenil>
Priority: unspecified    
Version: 9.1CC: asosedki, cllang, csnapp, dvozenil, frenaud, gfialova, jjelen, jrische, mjurasek
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.21.1-1.el9 Doc Type: Bug Fix
Doc Text:
.SHA-1 signature verification can now be allowed in FIPS mode Previously, it was not possible to allow the use of SHA-1 signature verification when Identity Management (IdM) was in FIPS mode. This is because IdM uses the FIPS-140-3 standard, which does not allow SHA-1 signatures. This situation caused problems with Active Directory (AD) interoperability, because AD only complies with the older FIPS-140-2 standard and therefore requires SHA-1 signatures. This update introduces a FIPS exception for PKINIT signature verification. When FIPS mode is enabled in IdM, its restrictions are ignored. Only default mode restrictions are applied, allowing the use of the `SHA1` crypto module even when in FIPS mode. As a result, AD interoperability in FIPS mode works as intended. In the scenario of an IdM/AD trust, or using a RHEL 9.2 or later host as an AD client, you need to set the crypto policy to FIPS:AD-SUPPORT:SHA1 to support PKINIT while in FIPS mode.
 Story Points: ---
Clone Of:
: 2209717 2214300 (view as bug list) Environment:
Last Closed: 2023-11-07 08:56:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2209717, 2214300    

Comment 47 errata-xmlrpc 2023-11-07 08:56:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: krb5 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6699