Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-107471

GNUTLS complains that ML-DSA signatures can be forged

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • None
    • CentOS Stream 10
    • crypto-policies
    • No
    • Low
    • 1
    • rhel-security-crypto
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Crypto25August
    • None
    • None
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      The following was tested against gnutls-3.8.10-1.el10.x86_64 (the CentOS Stream 10 build)

      # # certtool --generate-privkey --key-type=mldsa65 > cakey.pem
Generating an ML-DSA-65 private key...
# cat > ca.info
cn = Name of your organization
ca
cert_signing_key
# certtool --generate-self-signed --load-privkey cakey.pem \
  --template ca.info --outfile cacert.pem
Generating a self signed certificate...
X.509 Certificate Information:
    Version: 3
    Serial Number (hex): 5959832524ad6a36692163bbd568f293e02a8183
    Validity:
        Not Before: Tue Aug 05 08:19:52 UTC 2025
        Not After: Wed Aug 05 08:19:52 UTC 2026
    Subject: CN=Name of your organization
    Subject Public Key Algorithm: ML-DSA-65
    Algorithm Security Level: Future (15616 bits)
    Extensions:
        Basic Constraints (critical):
            Certificate Authority (CA): TRUE
        Key Usage (critical):
            Certificate signing.
        Subject Key Identifier (not critical):
            b5c6522df90bee6cd7c4c583dbe1a5f8961d90a2
Other Information:
    Public Key ID:
        sha1:b5c6522df90bee6cd7c4c583dbe1a5f8961d90a2
        sha256:714c9a6c9192fc97cf711a66e9256f72be00e905f4c2766b0120e060e968a577
    Public Key PIN:
        pin-sha256:cUyabJGS/JfPcRpm6SVvcr4A6QX0wnZrASDgYOlopXc=

 

Signing certificate...

       

      Now query info about the cert and observe the warning against the ML-DSA signature

      # certtool -i --infile cacert.pem 
X.509 Certificate Information:
    Version: 3
    Serial Number (hex): 5959832524ad6a36692163bbd568f293e02a8183
    Issuer: CN=Name of your organization
    Validity:
        Not Before: Tue Aug 05 08:19:52 UTC 2025
        Not After: Wed Aug 05 08:19:52 UTC 2026
    Subject: CN=Name of your organization
    Subject Public Key Algorithm: ML-DSA-65
    Algorithm Security Level: Future (15616 bits)
    Extensions:
        Basic Constraints (critical):
            Certificate Authority (CA): TRUE
        Key Usage (critical):
            Certificate signing.
        Subject Key Identifier (not critical):
            b5c6522df90bee6cd7c4c583dbe1a5f8961d90a2
    Signature Algorithm: ML-DSA-65
warning: signed using a broken signature algorithm that can be forged.
    Signature:
        5c:39:36:24:47:92:e1:87:ce:01:5e:71:50:0b:c8:ef
...snip....

      That warning should not be issued and will alarm users into thinking they made a mistake in using PQC

              asosedki@redhat.com Alexander Sosedkin
              rhn-engineering-berrange Daniel Berrangé
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: