Bug 2174565

Summary: UBI8 image has outdated python39-cryptography; required usage for FIPS-140
Product: Red Hat Enterprise Linux 8 Reporter: Wes Wilson <wjwilson>
Component: python-cryptographyAssignee: Christian Heimes <cheimes>
Status: NEW --- QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.7Flags: cheimes: needinfo? (wjwilson)
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Wes Wilson 2023-03-01 20:29:27 UTC 
Description of problem:
UBI8 image ships with an older python-cryptography.  Needs updating to cryptography 39.0.0 or greater.

Version-Release number of selected component (if applicable):
3.3.1

How reproducible:
- Simply use the UBI8 image and install package python39-cryptography.

Steps to Reproduce:
1. Create docker image from UBI8  (ex. FROM registry.access.redhat.com/ubi8/ubi-minimal)
2. dnf install python39-cryptography
3. grep -r -H "unsafe_skip_rsa_key_validation" /usr/lib64/python3.9/site-packages/cryptography

Actual results:
No grep results since "unsafe_skip_rsa_key_validation" became available in cryptography 39.0.0

Expected results:
grep results - 
hazmat/primitives/asymmetric/rsa.py:        unsafe_skip_rsa_key_validation: bool = False,
hazmat/primitives/asymmetric/rsa.py:            self, unsafe_skip_rsa_key_validation
...etc...

Additional info:
Comment 1 Christian Heimes 2023-08-12 10:02:29 UTC 
Could you please elaborate why you are considering the absence of "unsafe_skip_rsa_key_validation" a problem for FIPS-140 compliance?

The unsafe_skip_rsa_key_validation option is a dangerous feature that should NEVER be used in production code, unless the caller is absolutely certain the key is coming from a trusted source. The option bypasses important sanity checks of RSA private keys. A malformed or malicious RSA key can and will break RSA algorithm.

I would argue that the use of the option in FIPS mode is in violation of FIPS standards.