-
Bug
-
Resolution: Done-Errata
-
Critical
-
rhel-7.9.z
-
None
-
None
-
rhel-sst-idm-sssd
-
ssg_idm
-
0
-
Dev ack
-
False
-
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
Description of problem:
When we sign XML document using ECDSA algrorithm, the xmlsec1 fails to validate XML signatures made using ECDSA algorithm in FIPS mode.
Version-Release number of selected component (if applicable):
xmlsec1-1.2.20-7.el7_4 (including xmlsec1-openssl subpackage).
How reproducible:
Every time when XML document is verified
Steps to Reproduce :
1. Generate test keys
- openssl ecparam -out test.key -name secp384r1 -genkey
- openssl ec -in test.key -pubout -out test.pem
2. Sign document
- xmlsec --sign --privkey-pem test.key msg.xml > signed.xml
3. Verify document
- OPENSSL_FORCE_FIPS_MODE=1 xmlsec --verify --pubkey-pem test.pem signed.xml
Actual results:
xmlsec is unable to initialize signature verification function.
Expected results:
Document is signed and signature verifies
Additional info:
If signing step (step 2 above) is run in FIPS mode, that fails with a similar error.
Using ECDSA with OpenSSL in FIPS mode works fine with no errors for other applications than xmlsec.
Customer has already shared a patch and would like to get this added officially in the package through upstream.
Patch is attached.
- external trackers
- links to
-
RHBA-2023:123252
Fix ECDSA validation in FIPS mode
