2077450 – [RFE] Infer PKINIT CMS data digest from supportedCMSTypes

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2077450 - [RFE] Infer PKINIT CMS data digest from supportedCMSTypes

Summary: [RFE] Infer PKINIT CMS data digest from supportedCMSTypes

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Julien Rische
QA Contact:	Michal Polovka
Docs Contact:	Filip Hanzelka
URL:
Whiteboard:
Depends On:
Blocks:	2027125 2106043 2214326
TreeView+	depends on / blocked

Reported:	2022-04-21 12:04 UTC by Ivan Nikolchev
Modified:	2023-09-18 19:02 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	.The PKINIT authentication of a user fails if a RHEL 9 Kerberos agent communicates with a non-RHEL-9 and non-AD Kerberos agent If a RHEL 9 Kerberos agent, either a client or Kerberos Distribution Center (KDC), interacts with a non-RHEL-9 Kerberos agent that is not an Active Directory (AD) agent, the PKINIT authentication of the user fails. To work around the problem, perform one of the following actions: * Set the RHEL 9 agent's crypto-policy to `DEFAULT:SHA1` to allow the verification of SHA-1 signatures: + ---- # update-crypto-policies --set DEFAULT:SHA1 ---- * Update the non-RHEL-9 and non-AD agent to ensure it does not sign CMS data using the SHA-1 algorithm. For this, update your Kerberos client or KDC packages to the versions that use SHA-256 instead of SHA-1: CentOS 9 Stream: krb5-1.19.1-15 RHEL 8.7: krb5-1.18.2-17 RHEL 7.9: krb5-1.15.1-53 Fedora Rawhide/36: krb5-1.19.2-7 ** Fedora 35/34: krb5-1.19.2-3 As a result, the PKINIT authentication of the user works correctly. Note that for other operating systems, it is the krb5-1.20 release that ensures that the agent signs CMS data with SHA-256 instead of SHA-1. See also xref:BZ-2060798[].
Clone Of:
Environment:
Last Closed:	2023-09-18 19:02:22 UTC
Type:	Story
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
sssd logs and conf file (6.03 KB, application/gzip) 2022-04-21 12:04 UTC, Ivan Nikolchev	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-8183	None	None	None	2022-04-21 12:18:12 UTC
Red Hat Issue Tracker	RHEL-4875	None	Migrated	None	2023-09-18 18:58:32 UTC
Red Hat Issue Tracker	RHELPLAN-119503	None	None	None	2022-04-21 12:18:15 UTC

Description Ivan Nikolchev 2022-04-21 12:04:26 UTC

Created attachment 1874060 [details]
sssd logs and conf file

Description of problem:
When trying to authenticate with an IPA user using smart card, the authentication fails. 

For testing I'm using RHEL9 client that authenticates against a RHEL8 IPA server. And I'm using virtual smart cards(virt_cacard) and opensc as PKCS#11 module to do the testing.

The failures only occur when I'm using DEFAULT crypto-policies(I'm assuming it is the same in FUTURE), but authentication works in LEGACY mode, so it looks like the issue is somehow related to the openssl changes in RHEL9.

I will attach couple of logs from /var/log/sssd/ that I think might be helpful, please tell me if you need anything else.


Version-Release number of selected component (if applicable):
krb5-libs-1.19.1-15.el9_0.x86_64
krb5-pkinit-1.19.1-15.el9_0.x86_64
krb5-workstation-1.19.1-15.el9_0.x86_64

Comment 4 Julien Rische 2022-05-18 14:44:59 UTC

This error is due to the fact the KDC used in this setup is running on RHEL 8.5. Hence, it hasn't been patched to use SHA-2 for CMS signature instead (SHA-1 signature verification being blocked by DEFAULT crypto-policy on RHEL9).

We thought the SHA-1 issue was affecting anonymous PKINIT only but this error, and the further tests I did with certificate files and softhsm2 virtual smartcards are showing this actually affects all use cases of PKINIT.

The fix we provided for bug 2066316 resolves this issue too, but we should make clear in the documentation and release notes that in case a RHEL9 Kerberos agent interacts with another non-patched agent (regardless of which one is client or KDC) one of the following action should be taken:

* Set RHEL9 agent's crypto-policy to DEFAULT:SHA1 (to allow verification of SHA-1 signatures)
* Update the non-RHEL9 agent to be sure it won't sign CMS messages using SHA-1. Here are versions providing this fix:
    * RHEL 9    krb5-1.19.1-15
    * RHEL 8.7  krb5-1.18.2-17
    * RHEL 7.9  krb5-1.15.1-53
    * Fedora 36/Rawhide krb5-1.19.2-7
    * Fedora 35/34      krb5-1.19.2-3

The main reason why this fix has to be applied on all agents it that the current implementation for CMS signature does not pick the best possible digest cipher for the key being, used similarly to what Heimdal is doing[1]. In MIT krb5, the digest algorithm is hard-coded[2] making the switch difficult, especially when the algorithm in question is deprecated and even blocked in some environments (in the present case RHEL9).

What we can do at this point to keep such issues to happen again in the future, is to implement proper algorithm deduction based on source agent information provided. In the case of CMS data, using the "supportedCMSTypes" attribute, which was introduced in RFC8636[3] attribute. This incomplete implementation was already reported to cause integration issues with Heimdal in bug 2068935.

[1] https://github.com/heimdal/heimdal/blob/master/lib/hx509/crypto.c#L2646-L2649
[2] https://github.com/krb5/krb5/blob/krb5-1.19.3-final/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c#L1230
[3] https://datatracker.ietf.org/doc/html/rfc8636.html#page-10

Comment 26 Julien Rische 2023-02-01 09:32:40 UTC

This ticket is actually a RFE: for PKINIT CMS data digest, MIT krb5 always uses SHA-256. Infer the digest algorithm from the "supportedCMSTypes" attribute would simplify integration with other Kerberos clients and servers, and avoid the necessity to explicitly upgrade to a stronger algorithm in the future.

Comment 32 RHEL Program Management 2023-09-18 18:57:18 UTC

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 33 RHEL Program Management 2023-09-18 19:02:22 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.