Bug 2214300 - PKINIT: CMS SHA-1 signature verification cannot be allowed in FIPS mode [rawhide]
Summary: PKINIT: CMS SHA-1 signature verification cannot be allowed in FIPS mode [rawh...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Julien Rische
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 2155607
Blocks: 2209717
TreeView+ depends on / blocked
 
Reported: 2023-06-12 14:12 UTC by Julien Rische
Modified: 2023-07-11 01:27 UTC (History)
14 users (show)

Fixed In Version: krb5-1.21-2.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2155607
Environment:
Last Closed: 2023-07-11 01:27:33 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Package Sources krb5 pull-request 36 0 None None None 2023-06-12 14:46:56 UTC
Red Hat Issue Tracker FREEIPA-9998 0 None None None 2023-06-12 14:48:16 UTC

Description Julien Rische 2023-06-12 14:12:59 UTC
The SHA1 crypto-module can be used to allow verifying SHA-1-signed CMS data with the DEFAULT crypto-policy. However the SHA1 crypto-module has no effect with the FIPS crypto-policy.

This is an issue especially when we have to verify CMS signatures from Active Directory, which is still using SHA-1 for CMS signatures when using modular exponential-based Diffie-Hellman key exchange.

Comment 1 Julien Rische 2023-06-12 14:46:56 UTC
Fedora pull request:
https://src.fedoraproject.org/rpms/krb5/pull-request/36

Comment 2 Fedora Update System 2023-06-13 13:41:32 UTC
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569

Comment 3 Fedora Update System 2023-06-13 13:55:37 UTC
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Fedora Update System 2023-07-10 08:51:46 UTC
FEDORA-2023-f7841e7a29 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f7841e7a29

Comment 5 Fedora Update System 2023-07-11 01:27:33 UTC
FEDORA-2023-f7841e7a29 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.