Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-100716

libvirt support for loading multiple sets of x509 certificates for PQC hybrid mode

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.1
    • libvirt / CLI & API
    • Important
    • rhel-virt-core-libvirt-1
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      RHEL 10.1 will ship default crypto policy enabling post quantum crytpography.

      In order to enable smooth transition, we are requested to support hybrid setup, that is Libvirt should attend for example both clients with RSA as well as ones with ML-DSA certificate setup.

      At this point, Libvirt only allows for a single certificate for client or server setup, s. https://libvirt.org/kbase/tlscerts.html

      Gnutls-utils has added experimental support for ML-DSA in 3.8.9. GnuTLS apparently already supports hybrid setup:

      # gnutls-serv --x509certfile rsa/server/servercert.pem --x509keyfile rsa/server/serverkey.pem --x509certfile ml-dsa/server/servercert.pem --x509keyfile ml-dsa/server/serverkey.pem --debug 9
|<3>| ASSERT: ../../../lib/x509/x509_ext.c[gnutls_subject_alt_names_get]:107
|<3>| ASSERT: ../../../lib/x509/x509.c[get_alt_name]:2012
|<3>| ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:59
|<3>| ASSERT: ../../../lib/x509/attributes.c[_x509_parse_attribute]:97
|<3>| ASSERT: ../../../lib/x509/attributes.c[_x509_parse_attribute]:163
|<3>| ASSERT: ../../../lib/x509/x509_ext.c[gnutls_subject_alt_names_get]:107
|<3>| ASSERT: ../../../lib/x509/x509.c[get_alt_name]:2012
|<4>| cannot use privkey of ML-DSA-65 with RSA-PSS-SHA256
|<4>| cannot use privkey of ML-DSA-65 with RSA-PSS-RSAE-SHA256
|<4>| cannot use privkey of ML-DSA-65 with RSA-PSS-SHA384
|<4>| cannot use privkey of ML-DSA-65 with RSA-PSS-RSAE-SHA384
|<4>| cannot use privkey of ML-DSA-65 with RSA-PSS-SHA512
|<4>| cannot use privkey of ML-DSA-65 with RSA-PSS-RSAE-SHA512
|<4>| cannot use privkey of ML-DSA-65 with EdDSA-Ed25519
|<4>| cannot use privkey of ML-DSA-65 with EdDSA-Ed448
|<4>| cannot use privkey of ML-DSA-65 with ECDSA-SECP256R1-SHA256
|<4>| cannot use privkey of ML-DSA-65 with ECDSA-SECP384R1-SHA384
|<4>| cannot use privkey of ML-DSA-65 with ECDSA-SECP521R1-SHA512
|<3>| ASSERT: ../../lib/privkey.c[gnutls_privkey_sign_data2]:1221
|<2>| _gnutls_check_key_cert_match: failed signing
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done

              rhn-engineering-berrange Daniel Berrangé
              smitterl@redhat.com Sebastian Mitterle
              Daniel Berrangé Daniel Berrangé
              Zhen Tang Zhen Tang
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated: