Bug 2214300

Summary: PKINIT: CMS SHA-1 signature verification cannot be allowed in FIPS mode [rawhide]
Product: [Fedora] Fedora Reporter: Julien Rische <jrische>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, antorres, asosedki, cllang, csnapp, ftrivino, jabsher, jjelen, jrische, j, mjurasek, mpolovka, sbose, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.21-2.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2155607 Environment:
Last Closed: 2023-07-11 01:27:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2155607    
Bug Blocks: 2209717    

Description Julien Rische 2023-06-12 14:12:59 UTC 
The SHA1 crypto-module can be used to allow verifying SHA-1-signed CMS data with the DEFAULT crypto-policy. However the SHA1 crypto-module has no effect with the FIPS crypto-policy.

This is an issue especially when we have to verify CMS signatures from Active Directory, which is still using SHA-1 for CMS signatures when using modular exponential-based Diffie-Hellman key exchange.
Comment 1 Julien Rische 2023-06-12 14:46:56 UTC 
Fedora pull request:
https://src.fedoraproject.org/rpms/krb5/pull-request/36
Comment 2 Fedora Update System 2023-06-13 13:41:32 UTC 
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
Comment 3 Fedora Update System 2023-06-13 13:55:37 UTC 
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 4 Fedora Update System 2023-07-10 08:51:46 UTC 
FEDORA-2023-f7841e7a29 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f7841e7a29
Comment 5 Fedora Update System 2023-07-11 01:27:33 UTC 
FEDORA-2023-f7841e7a29 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.