Hide Forgot
Description of problem: caTransportCert.cfg contains MD2/MD5withRSA as signingAlgsAllowed. Version-Release number of selected component (if applicable): pki-ca-10.5.16-3.el7.noarch How reproducible: Always Steps to Reproduce: 1. Setup FIPS in RHEL7 2. Install CA with SHA384withRSA. 3. Check the caTransportCert.cfg in profiles directory for signingAlgsAllowed Actual results: [root@pki1 ~]# grep MD5 /var/lib/pki/topology-01-CA/ca/profiles/ca/*.cfg /var/lib/pki/topology-01-CA/ca/profiles/ca/caTransportCert.cfg:policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA Expected results: As per #bz1554055 fix, signingAlgsAllowed should not contain MD2withRSA and MD5withRSA and hence they should be removed from the only caTransportCert profile where its present. Additional info: Logging this as a bug to keep track of the required changes in the profile configuration.
Pusing to RHEL 8.
Checked into master: commit feae24155a86106917d28315a797cce3911b5aff Author: Alexander Scheel <ascheel@redhat.com> Date: Tue Oct 22 09:40:48 2019 -0400 Remove MD4 and MD5 from default configuration We remove MD4- and MD5-based algorithms in favor of more modern SHA-2 suite algorithms. We replace them in: - In the default CS.cfg - In the default caTransportCert.cfg - In the ca agent updateCRL html and template, - In EnrollProfile Signed-off-by: Alexander Scheel <ascheel@redhat.com> That should really read MD2 I guess. Could I get ACKs for 8.3? Thanks!
Bugzilla is verified on FIPS enabled RHEL83 on below builds: [root@pki1 ~]# rpm -qa | grep pki pki-servlet-4.0-api-9.0.30-1.module+el8.3.0+6730+8f9c6254.noarch pki-servlet-engine-9.0.30-1.module+el8.3.0+6730+8f9c6254.noarch pki-ca-10.9.0-0.7.module+el8.3.0+7364+90640274.noarch pki-kra-10.9.0-0.7.module+el8.3.0+7364+90640274.noarch python3-pki-10.9.0-0.7.module+el8.3.0+7364+90640274.noarch pki-base-java-10.9.0-0.7.module+el8.3.0+7364+90640274.noarch pki-symkey-10.9.0-0.7.module+el8.3.0+7364+90640274.x86_64 pki-server-10.9.0-0.7.module+el8.3.0+7364+90640274.noarch pki-base-10.9.0-0.7.module+el8.3.0+7364+90640274.noarch pki-tools-10.9.0-0.7.module+el8.3.0+7364+90640274.x86_64 > I could not find MD5 / MD2 in all the profiles. And could not find it in any (including caTransportCert.cfg). Following is the signing Algos shown in caTransportCert.cfg: policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS > Checked agent ui , crl signing certs also did not have MD5 /MD2 anywhere. > grep in /etc shows only pkcs11 text file [alex you can confirm if this is used anywhere]: grep -r MD2 /etc/ /etc/pki/nssdb/pkcs11.txt:NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) /etc/pki/topology-02-CA/alias/pkcs11.txt:NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) /etc/pki/topology-02-KRA/alias/pkcs11.txt:NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) Alex, I will mark this BZ verified once you confirm about the pkcs11.txt file content mentioned above.
Shalini, This is good. The pkcs11.txt is within your NSS DB, which contains MD2 as an available (but not allowed by CryptoPolicies) algorithm. Note that they're the same across global NSS DB (/etc/pki/nssdb) and our PKI NSS DBs (e.g., /etc/pki/topology-02-CA/alias/pkcs11.tx). Thanks!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4847