Bug 2214326

Summary: [RFE] PKINIT: support elliptic curve cryptography [rawhide]
Product: [Fedora] Fedora Reporter: Julien Rische <jrische>
Component: krb5Assignee: Julien Rische <jrische>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abobrov, abokovoy, antorres, fhanzelk, frenaud, ftrivino, gfialova, jrische, j, mpolovka, sbose, ssorce
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 2106043 Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2077450, 2106043    
Bug Blocks:    

Description Julien Rische 2023-06-12 16:08:10 UTC 
+++ This bug was initially created as a clone of Bug #2106043 +++

MS-PKCA v20211006 (section 2.2)[1] defines the following supported algorithms for PKINIT CMS signature:

  * md5WithRSAEncryption (since Windows Server 2003)
  * sha1WithRSAEncryption (newer than Windows Server 2003)
  * ecdsa-with-sha1/256/384/512 (newer than Windows Server 2008)

Out of this list, ECDSA signatures are the only ones that are still allowed to verify on RHEL9 (SHA-1 and MD5 signatures verification is disallowed by default). We should implement RFC5349[2] in MIT krb5 in order to support PKINIT pre-authentication against Active Directory.


[1] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PKCA/%5bMS-PKCA%5d.pdf
[2] https://www.rfc-editor.org/rfc/rfc5349.html
Comment 1 Fedora Update System 2023-06-13 13:41:35 UTC 
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
Comment 2 Alexander Bokovoy 2023-06-13 13:56:53 UTC 
This was added to krb5 1.21 update by mistake, this work is not completed yet.