2214300 – PKINIT: CMS SHA-1 signature verification cannot be allowed in FIPS mode [rawhide]

Bug 2214300 - PKINIT: CMS SHA-1 signature verification cannot be allowed in FIPS mode [rawhide]

Summary: PKINIT: CMS SHA-1 signature verification cannot be allowed in FIPS mode [rawh...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	krb5
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Julien Rische
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	2155607
Blocks:	2209717
TreeView+	depends on / blocked

Reported:	2023-06-12 14:12 UTC by Julien Rische
Modified:	2023-07-11 01:27 UTC (History)
CC List:	14 users (show)
Fixed In Version:	krb5-1.21-2.fc38
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2155607
Environment:
Last Closed:	2023-07-11 01:27:33 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Fedora Package Sources	krb5 pull-request 36	0	None	None	None	2023-06-12 14:46:56 UTC
Red Hat Issue Tracker	FREEIPA-9998	0	None	None	None	2023-06-12 14:48:16 UTC

Description Julien Rische 2023-06-12 14:12:59 UTC

The SHA1 crypto-module can be used to allow verifying SHA-1-signed CMS data with the DEFAULT crypto-policy. However the SHA1 crypto-module has no effect with the FIPS crypto-policy.

This is an issue especially when we have to verify CMS signatures from Active Directory, which is still using SHA-1 for CMS signatures when using modular exponential-based Diffie-Hellman key exchange.

Comment 1 Julien Rische 2023-06-12 14:46:56 UTC

Fedora pull request:
https://src.fedoraproject.org/rpms/krb5/pull-request/36

Comment 2 Fedora Update System 2023-06-13 13:41:32 UTC

FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569

Comment 3 Fedora Update System 2023-06-13 13:55:37 UTC

FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Fedora Update System 2023-07-10 08:51:46 UTC

FEDORA-2023-f7841e7a29 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f7841e7a29

Comment 5 Fedora Update System 2023-07-11 01:27:33 UTC

FEDORA-2023-f7841e7a29 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.