Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1711318
There are two problems with implementation of p11_child::sign_data() function in regards of FIPS140 compliance: (1) Usage of SHA-1. SHA-1 is used in a signature for integrity protection which means it is a sensitive use. Thus it falls under FIPS requirements. Also the way it is used can't be considered "used in HMAC". Thus code must be reworked to avoid usage of SHA-1 whenever possible, i.e. implementation should lookup list of supported by Smart Card alternatives and choose more modern/FIPS approved option if available. For Smart Cards that do not support approved alternatives this change will make impossible its usage in FIPS mode. This is expected behaviour. Presumably "manual" hashing in case of ECC key may be dropped at all but (2) must be taken in to account. (2) The way signature verification is implemented breaks "No Algorithm decomposition" rule from "FIPS140 Compliance Checklist": "When applying signatures do not Hash the content on your own and then call the raw signature API, instead call the API that compute hash and signature in one shot by reading the whole message"
Metadata Update from @sbose: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1711318
This looks like it is addressed by 7f0a8f5 and it looks like a duplicate of #4039 (not sure how did it happen).
I was just about to fill similar issue since I got a card that is not willing to sign using SHA1-RSA-PKCS mechanism and which would break here. Seeing this is already handled and on the way to the next release is great news. Thank you.
SHA1-RSA-PKCS
Hi @jjelen,
yes, this is a duplicate and it looks like @jhrozek and I cloned the bugzilla ticket at the same time. I'll close this a duplicate.
bye, Sumit
Metadata Update from @sbose: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5007
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.