Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-3337

[RHEL7.9] xmlsec1 fails to validate XML signatures made using ECDSA algorithm in FIPS mode

    • None
    • None
    • rhel-sst-idm-sssd
    • ssg_idm
    • 0
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      When we sign XML document using ECDSA algrorithm, the xmlsec1 fails to validate XML signatures made using ECDSA algorithm in FIPS mode.

      Version-Release number of selected component (if applicable):
      xmlsec1-1.2.20-7.el7_4 (including xmlsec1-openssl subpackage).

      How reproducible:
      Every time when XML document is verified

      Steps to Reproduce :

      1. Generate test keys

      1. openssl ecparam -out test.key -name secp384r1 -genkey
      2. openssl ec -in test.key -pubout -out test.pem

      2. Sign document

      1. xmlsec --sign --privkey-pem test.key msg.xml > signed.xml

      3. Verify document

      1. OPENSSL_FORCE_FIPS_MODE=1 xmlsec --verify --pubkey-pem test.pem signed.xml

      Actual results:
      xmlsec is unable to initialize signature verification function.

      Expected results:
      Document is signed and signature verifies

      Additional info:

      If signing step (step 2 above) is run in FIPS mode, that fails with a similar error.
      Using ECDSA with OpenSSL in FIPS mode works fine with no errors for other applications than xmlsec.

      Customer has already shared a patch and would like to get this added officially in the package through upstream.

      Patch is attached.

        1. msg.xml
          0.9 kB
          Scott Poore

              thalman@redhat.com Tomas Halman
              rhn-support-ravpatil Ravindra Patil
              Scott Poore Scott Poore
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: