Bug 2214326 - [RFE] PKINIT: support elliptic curve cryptography [rawhide]
Summary: [RFE] PKINIT: support elliptic curve cryptography [rawhide]
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Julien Rische
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 2077450 2106043
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-12 16:08 UTC by Julien Rische
Modified: 2023-07-19 14:57 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of: 2106043
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-10168 0 None None None 2023-07-19 14:57:45 UTC

Description Julien Rische 2023-06-12 16:08:10 UTC 
+++ This bug was initially created as a clone of Bug #2106043 +++

MS-PKCA v20211006 (section 2.2)[1] defines the following supported algorithms for PKINIT CMS signature:

  * md5WithRSAEncryption (since Windows Server 2003)
  * sha1WithRSAEncryption (newer than Windows Server 2003)
  * ecdsa-with-sha1/256/384/512 (newer than Windows Server 2008)

Out of this list, ECDSA signatures are the only ones that are still allowed to verify on RHEL9 (SHA-1 and MD5 signatures verification is disallowed by default). We should implement RFC5349[2] in MIT krb5 in order to support PKINIT pre-authentication against Active Directory.


[1] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PKCA/%5bMS-PKCA%5d.pdf
[2] https://www.rfc-editor.org/rfc/rfc5349.html
Comment 1 Fedora Update System 2023-06-13 13:41:35 UTC 
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
Comment 2 Alexander Bokovoy 2023-06-13 13:56:53 UTC 
This was added to krb5 1.21 update by mistake, this work is not completed yet.
Note You need to log in before you can comment on or make changes to this bug.