Bug 2214326 - [RFE] Add ECDH support for PKINIT (RFC5349) [fedora]
Summary: [RFE] Add ECDH support for PKINIT (RFC5349) [fedora]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Julien Rische
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 2077450 2106043
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-12 16:08 UTC by Julien Rische
Modified: 2025-02-15 02:22 UTC (History)
13 users (show)

Fixed In Version: krb5-1.21.3-5.fc42 krb5-1.21.3-4.fc41 krb5-1.21.3-3.fc40
Clone Of: 2106043
Environment:
Last Closed: 2025-01-30 22:07:52 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-10168 0 None None None 2023-07-19 14:57:45 UTC

Description Julien Rische 2023-06-12 16:08:10 UTC 
+++ This bug was initially created as a clone of Bug #2106043 +++

MS-PKCA v20211006 (section 2.2)[1] defines the following supported algorithms for PKINIT CMS signature:

  * md5WithRSAEncryption (since Windows Server 2003)
  * sha1WithRSAEncryption (newer than Windows Server 2003)
  * ecdsa-with-sha1/256/384/512 (newer than Windows Server 2008)

Out of this list, ECDSA signatures are the only ones that are still allowed to verify on RHEL9 (SHA-1 and MD5 signatures verification is disallowed by default). We should implement RFC5349[2] in MIT krb5 in order to support PKINIT pre-authentication against Active Directory.


[1] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PKCA/%5bMS-PKCA%5d.pdf
[2] https://www.rfc-editor.org/rfc/rfc5349.html
Comment 1 Fedora Update System 2023-06-13 13:41:35 UTC 
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
Comment 2 Alexander Bokovoy 2023-06-13 13:56:53 UTC 
This was added to krb5 1.21 update by mistake, this work is not completed yet.
Comment 3 Fedora Update System 2025-01-29 18:50:29 UTC 
FEDORA-2025-51a9c78142 (krb5-1.21.3-5.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-51a9c78142
Comment 4 Fedora Update System 2025-01-30 22:07:52 UTC 
FEDORA-2025-51a9c78142 (krb5-1.21.3-5.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 5 Fedora Update System 2025-02-12 11:04:26 UTC 
FEDORA-2025-3e5228ee23 (krb5-1.21.3-4.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-3e5228ee23
Comment 6 Fedora Update System 2025-02-12 11:05:57 UTC 
FEDORA-2025-61b9344baf (krb5-1.21.3-3.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-61b9344baf
Comment 7 Fedora Update System 2025-02-13 01:54:31 UTC 
FEDORA-2025-3e5228ee23 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-3e5228ee23`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-3e5228ee23

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2025-02-13 02:52:52 UTC 
FEDORA-2025-61b9344baf has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-61b9344baf`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-61b9344baf

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2025-02-14 01:35:47 UTC 
FEDORA-2025-3e5228ee23 (krb5-1.21.3-4.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2025-02-15 02:22:53 UTC 
FEDORA-2025-61b9344baf (krb5-1.21.3-3.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.