Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-3337

[RHEL7.9] xmlsec1 fails to validate XML signatures made using ECDSA algorithm in FIPS mode

    • sst_idm_sssd
    • ssg_idm
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • If docs needed, set a value

      Description of problem:

      When we sign XML document using ECDSA algrorithm, the xmlsec1 fails to validate XML signatures made using ECDSA algorithm in FIPS mode.

      Version-Release number of selected component (if applicable):
      xmlsec1-1.2.20-7.el7_4 (including xmlsec1-openssl subpackage).

      How reproducible:
      Every time when XML document is verified

      Steps to Reproduce :

      1. Generate test keys

      1. openssl ecparam -out test.key -name secp384r1 -genkey
      2. openssl ec -in test.key -pubout -out test.pem

      2. Sign document

      1. xmlsec --sign --privkey-pem test.key msg.xml > signed.xml

      3. Verify document

      1. OPENSSL_FORCE_FIPS_MODE=1 xmlsec --verify --pubkey-pem test.pem signed.xml

      Actual results:
      xmlsec is unable to initialize signature verification function.

      Expected results:
      Document is signed and signature verifies

      Additional info:

      If signing step (step 2 above) is run in FIPS mode, that fails with a similar error.
      Using ECDSA with OpenSSL in FIPS mode works fine with no errors for other applications than xmlsec.

      Customer has already shared a patch and would like to get this added officially in the package through upstream.

      Patch is attached.

            thalman@redhat.com Tomas Halman
            rhn-support-ravpatil Ravindra Patil
            Scott Poore Scott Poore
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: