Bug 2214326

Summary: [RFE] Add ECDH support for PKINIT (RFC5349) [fedora]
Product: [Fedora] Fedora Reporter: Julien Rische <jrische>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abobrov, abokovoy, adarobin, antorres, fhanzelk, frenaud, ftrivino, gfialova, jrische, j, mpolovka, sbose, ssorce
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.21.3-5.fc42 krb5-1.21.3-4.fc41 krb5-1.21.3-3.fc40 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 2106043 Environment:
Last Closed: 2025-01-30 22:07:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2077450, 2106043    
Bug Blocks:    

Description Julien Rische 2023-06-12 16:08:10 UTC 
+++ This bug was initially created as a clone of Bug #2106043 +++

MS-PKCA v20211006 (section 2.2)[1] defines the following supported algorithms for PKINIT CMS signature:

  * md5WithRSAEncryption (since Windows Server 2003)
  * sha1WithRSAEncryption (newer than Windows Server 2003)
  * ecdsa-with-sha1/256/384/512 (newer than Windows Server 2008)

Out of this list, ECDSA signatures are the only ones that are still allowed to verify on RHEL9 (SHA-1 and MD5 signatures verification is disallowed by default). We should implement RFC5349[2] in MIT krb5 in order to support PKINIT pre-authentication against Active Directory.


[1] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PKCA/%5bMS-PKCA%5d.pdf
[2] https://www.rfc-editor.org/rfc/rfc5349.html
Comment 1 Fedora Update System 2023-06-13 13:41:35 UTC 
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
Comment 2 Alexander Bokovoy 2023-06-13 13:56:53 UTC 
This was added to krb5 1.21 update by mistake, this work is not completed yet.
Comment 3 Fedora Update System 2025-01-29 18:50:29 UTC 
FEDORA-2025-51a9c78142 (krb5-1.21.3-5.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-51a9c78142
Comment 4 Fedora Update System 2025-01-30 22:07:52 UTC 
FEDORA-2025-51a9c78142 (krb5-1.21.3-5.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 5 Fedora Update System 2025-02-12 11:04:26 UTC 
FEDORA-2025-3e5228ee23 (krb5-1.21.3-4.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-3e5228ee23
Comment 6 Fedora Update System 2025-02-12 11:05:57 UTC 
FEDORA-2025-61b9344baf (krb5-1.21.3-3.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-61b9344baf
Comment 7 Fedora Update System 2025-02-13 01:54:31 UTC 
FEDORA-2025-3e5228ee23 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-3e5228ee23`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-3e5228ee23

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2025-02-13 02:52:52 UTC 
FEDORA-2025-61b9344baf has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-61b9344baf`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-61b9344baf

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2025-02-14 01:35:47 UTC 
FEDORA-2025-3e5228ee23 (krb5-1.21.3-4.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2025-02-15 02:22:53 UTC 
FEDORA-2025-61b9344baf (krb5-1.21.3-3.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.