RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2117796 - ca-certificates need to add support for signing certs for .NET [rhel-7.9.z]
Summary: ca-certificates need to add support for signing certs for .NET [rhel-7.9.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ca-certificates
Version: 7.9
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Bob Relyea
QA Contact: Alexander Sosedkin
URL:
Whiteboard:
Depends On: 2117793
Blocks: 2117794
TreeView+ depends on / blocked
 
Reported: 2022-08-11 22:58 UTC by Bob Relyea
Modified: 2022-09-20 09:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Object Signing certs have been added to ca-certificates. Reason: Application like .NET need to verify that downloaded code fragments came from some trusted source. The certificates that verify these code fragments are often different than certificates that verify TLS, and have different verification requirements. As such we need to mark those certs which have gone through some verification as valid for code signing. Result: New certs for code signing has been added. These certificates should only show up in /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem, /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt and /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit. The latter two, the certs are marked with object signing only. Existing certs may have object signing permission addes. The new object signing certs may be expired.
Clone Of: 2117793
Environment:
Last Closed: 2022-09-20 08:59:57 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-8079 0 None None None 2022-08-11 23:11:47 UTC
Red Hat Issue Tracker RHELPLAN-131024 0 None None None 2022-08-11 23:12:05 UTC
Red Hat Product Errata RHBA-2022:6572 0 None None None 2022-09-20 09:00:05 UTC

Description Bob Relyea 2022-08-11 22:58:23 UTC 
+++ This bug was initially created as a clone of Bug #2117793 +++

Description of problem:

.NET depends on the internet infrastructure to provide certify the signatures on signed .NET objects. Traditionally the ca's which are used to sign objects are also the ca's that support TLS signing. .NET used the object signing oids EKU on the leaf certs to distinguish between actual object signing certs.

Mozilla used to provide certs that had object signing trust, but mozilla moved away from object signing for extensions and dropped support for those attributes. At the time mozilla dropped object signing, we checked with RHEL users, and dropped supplying any object signing certs as part of the distribution (we maintained the infrastructure, so users could create their own object signing certs).

As a result, when .NET came along they used the tls cert store rather than the object signing cert store. This broke when symantec, the major course of .net object signing certs, was dropped as an email/tls cert, which dropped it from mozilla's supplied roots. This happened around March 2021, and issues were immediately noticed in debian when the picked up the new mozilla root certs.

In 2021, we had discussions with Microsoft and the RH .NET team. For ca-certificates to pick up object signing certs, we needed a repeatable source of object signing cert, which only Microsoft could provide (unless we wanted to create our own root ca program, which we don't). Their was some general website that contained object-signing certs from Microsoft and TLS/Email certs from Mozilla. The issue was the site did not provide properly versioned  images, so we couldn't repeat a build from that site, so there is no way that debian and redhat and other distributions could provide predicable and identifiable versions of ca-certificates.

The problem was put on hold for a year because a solution wasn't available by the time we shipped the ca-certificates release.

.NET turned off object signing until the got agreement with Microsoft on using a microsoft provided object signing list which they shipped internally. Longer turn, they would use the extracted certificates in /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem when they were eventually supplied by the ca-certificate package.

In July 2022, Microsoft was still setting up the code-signing cert. One complication was that they needed both code-signing and time-stamping. Currently most certs that can do time-stampling also does code-signing (again leaf certs get the appropriate EKU), so the lists are combined. Microsoft supplied the first cut of the list to us for our release here:

https://gist.github.com/richlander/800fcac88d595cea225649b76a5361f4

How future releases are made are still TBD. Also we need to deal with Time Stamping in the future as well (will target the first cut of that on Fedora).

Code signing in processes as follows: The above list is just a pem list of code signing certs. That list is read and matched with the mozilla list. Any cert that is in both is lists has the code signing added to the mozilla cert. Any cert that has the same subject as the mozilla cert, but is different is dropped for now (p11-kit does not properly handle those certs). All remaining certs are added to the list as with the comment 'Microsoft code signing only'.

Note that the code signing certs includes expired certs. That is because the code signing signature is based on the time the object was signed, not the current time, so expired certs are still valid. This is why timestamping is important (the timestamp for the object needs to be verified as correct by a time stamping authority at signature time to prevent and end user from playing with their clock to back date the signature to make an expired cert still valid).




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 11 errata-xmlrpc 2022-09-20 08:59:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ca-certificates bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6572
Note You need to log in before you can comment on or make changes to this bug.