2174565 – UBI8 image has outdated python39-cryptography; required usage for FIPS-140

Bug 2174565 - UBI8 image has outdated python39-cryptography; required usage for FIPS-140 [NEEDINFO]

Summary: UBI8 image has outdated python39-cryptography; required usage for FIPS-140

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	python-cryptography
Sub Component:
Version:	8.7
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Christian Heimes
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-03-01 20:29 UTC by Wes Wilson
Modified:	2023-08-12 10:02 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	cheimes: needinfo? (wjwilson)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-9510	0	None	None	None	2023-03-01 20:31:56 UTC
Red Hat Issue Tracker	RHELPLAN-150351	0	None	None	None	2023-03-01 20:31:59 UTC

Description Wes Wilson 2023-03-01 20:29:27 UTC

Description of problem:
UBI8 image ships with an older python-cryptography.  Needs updating to cryptography 39.0.0 or greater.

Version-Release number of selected component (if applicable):
3.3.1

How reproducible:
- Simply use the UBI8 image and install package python39-cryptography.

Steps to Reproduce:
1. Create docker image from UBI8  (ex. FROM registry.access.redhat.com/ubi8/ubi-minimal)
2. dnf install python39-cryptography
3. grep -r -H "unsafe_skip_rsa_key_validation" /usr/lib64/python3.9/site-packages/cryptography

Actual results:
No grep results since "unsafe_skip_rsa_key_validation" became available in cryptography 39.0.0

Expected results:
grep results - 
hazmat/primitives/asymmetric/rsa.py:        unsafe_skip_rsa_key_validation: bool = False,
hazmat/primitives/asymmetric/rsa.py:            self, unsafe_skip_rsa_key_validation
...etc...

Additional info:

Comment 1 Christian Heimes 2023-08-12 10:02:29 UTC

Could you please elaborate why you are considering the absence of "unsafe_skip_rsa_key_validation" a problem for FIPS-140 compliance?

The unsafe_skip_rsa_key_validation option is a dangerous feature that should NEVER be used in production code, unless the caller is absolutely certain the key is coming from a trusted source. The option bypasses important sanity checks of RSA private keys. A malformed or malicious RSA key can and will break RSA algorithm.

I would argue that the use of the option in FIPS mode is in violation of FIPS standards.

Note You need to log in before you can comment on or make changes to this bug.