-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-9.6, rhel-10.0
-
No
-
None
-
rhel-security-special-projects
-
None
-
False
-
False
-
-
None
-
None
-
None
-
Automated
-
Unspecified
-
Unspecified
-
Unspecified
-
-
Unspecified
-
None
What were you trying to do that didn't work?
Setting mTLS certificate/key that are not RSA via the `server_cert` and `server_key` options of the Keylime agent make it to fail when enrolled to be verifier by a verifier using the keylime_tenant.
This is caused because the agent uses the same key pair for payload encryption and mTLS. The payload encryption requires an RSA key pair.
What is the impact of this issue to you?
It is not possible to configure the agent to use keys and certificate with algorithms other than RSA for mTLS. This impacts, for example, if trying to deploy the agent using certificates with PQC algorithms for TLS.
Please provide the package NVR for which the bug is seen:
keylime-agent-rust-0.2.7-3.el10
How reproducible is this bug?:
Always
Steps to reproduce
- Configure the Keylime agent with key and certificate other than RSA (e.g. with ECC keys) by setting the `server_cert` and `server_key` options with paths to the certificate and key, respectively
- Start the Keylime verifier, registrar, and agent
- After the agent successfully register itself, enroll the agent to be monitored by the verifier using the keylime_tenantÂ
Expected results
The agent is successfully enrolled to be monitored by the verifier, which starts to request measurements periodically.
Actual results
The agent enrollment fails with an error similar to 'Unable to retrieve quote: NotImplemented("Converting to digest value for key type Id(408)") "'