Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1510156 - RSA PKCS#1 v1.5 signatures made using rsa-pss keys are accepted as valid
RSA PKCS#1 v1.5 signatures made using rsa-pss keys are accepted as valid
Status: POST
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss (Show other bugs)
7.5
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Daiki Ueno
BaseOS QE Security Team
Mirek Jahoda
:
Depends On:
Blocks: rhel7-rsa-pss-in-nss 1601056
  Show dependency treegraph
 
Reported: 2017-11-06 14:46 EST by Hubert Kario
Modified: 2018-10-18 08:12 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Known Issue
Doc Text:
*NSS* accept malformed RSA PKCS#1 v1.5 signatures made with an RSA-PSS key The *Network Security Services* (NSS) libraries do not check the type of an RSA public key used by a server when validating signatures made using a corresponding private key. Consequently, *NSS* accept malformed RSA PKCS#1 v1.5 signatures if they are made with an RSA-PSS key.
Story Points: ---
Clone Of:
: 1601056 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 1414931 None None None 2018-07-13 14:14 EDT

  None (edit)
Description Hubert Kario 2017-11-06 14:46:39 EST 
Description of problem:
NSS will accept RSA PKCS#1 v1.5 signatures made using RSA-PSS keys as correct

Version-Release number of selected component (if applicable):
3.34

How reproducible:
always

Steps to Reproduce:
1. start a server that will sign all SKEs with rsa-sha256, even if it has rsa-pss key
2. connect with tstclnt
3.

Actual results:
connection established

Expected results:
connection broken after processing SKE by client

Additional info:
Comment 2 Mirek Jahoda 2018-01-25 09:47:10 EST 
   Hi Hubert,

Since this BZ should be described in the RHEL 7.5 Release Notes, could you please fill the Doc Text using the template? I'm not sure if I would be able to use 100% accurate wording using just the first comment.
Comment 5 Daiki Ueno 2018-10-18 08:12:07 EDT 
This should be fixed with the next rebase.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.