-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.1
-
None
-
No
-
Low
-
rhel-security-crypto-clubs
-
0
-
False
-
False
-
-
None
-
None
-
-
None
-
Enabled
-
Automated
-
Unspecified
-
Unspecified
-
Unspecified
-
-
All
-
None
What were you trying to do that didn't work?
fips-provider next allows signature using rsa-x931 while openssl-fips-provider did not allowed that:
openssl dgst -sign rsa.key -sigopt rsa_padding_mode:x931 -out file.rsa-x931.sig.new file.txt
Please provide the package NVR for which the bug is seen:
fips-provider-next-1.2.0-1.el10
Steps to reproduce
- echo some text > file.txt
- openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
- openssl dgst -sign rsa.key -sigopt rsa_padding_mode:x931 -out file.rsa-x931.sig.new file.txt
- openssl dgst -prverify rsa.key -sigopt rsa_padding_mode:x931 -signature file.rsa-x931.sig file.txt
Actual results
3. Signed successfully
4.
Verified OK
Expected results
3.
Signature parameter error "rsa_padding_mode:x931" 8042FB23BB7F0000:error:1C8000A5:Provider routines:rsa_set_ctx_params:illegal or unsupported padding mode:providers/implementations/signature/rsa_sig.c:1318:X.931 padding no longer allowed in FIPS mode, since it was removed from FIPS 186-5
Additional information
/CoreOS/openssl/Regression/bz2042448-Creation-of-self-signed-certificates-in-FIPS-mode