1269336 – Replace Bouncycastle with NSS

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1269336 - Replace Bouncycastle with NSS

Summary: Replace Bouncycastle with NSS

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Security
Sub Component:
Version:	Unspecified
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-07 04:07 UTC by Jesse P. Johnson
Modified:	2019-09-26 13:55 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-04-19 12:51:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Jesse P. Johnson 2015-10-07 04:07:02 UTC

Description of problem:

Bouncycastle is an SSL encryption library that deviates from ongoing downstream / upstream efforts to standardize PKI. The intended effort is to ensure that RHEL and other Red Hat products are standards compliant. The preferred crypto library for Red Hat products is Mozilla NSS to provide FIPS compliance. Currently, Satellite 5.7 can be configured to run FIPS compliant.

Version-Release number of selected component (if applicable):
ALL

How reproducible:
Always

Steps to Reproduce:
1. katello-installer
2. rpm -qa | grep bouncycastle


Actual results:
/etc/rhsm/ca

Expected results:
/etc/pki/rhsm/ca

Additional info:
https://www.redhat.com/en/about/blog/red-hat-launches-red-hat-satellite-57
https://www.redhat.com/en/about/press-releases/red-hat-completes-fips-1402-certifications
https://fedoraproject.org/wiki/Features/SharedSystemCertificates
https://fedoraproject.org/wiki/FedoraCryptoConsolidation
https://fedorahosted.org/penrose/ - Penrose was a product acquired by Red Hat to provide federated identity which used bouncycastle and discontinued due to DISA disapproval.

Comment 4 Tomer Brisker 2016-11-06 15:01:00 UTC

It seems that this has been resolved already by 6.2, moving to ON_QA for verification.

Comment 5 Tomer Brisker 2017-04-19 12:51:50 UTC

I am going to close this as CURRENTRELEASE. Satellite 6.2.9 does not ship with bouncy castle. If you feel this is in error, please reopen and provide further information.

Note You need to log in before you can comment on or make changes to this bug.