Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.0.beta
Affects Version/s: rhel-10.0
Component/s: nss
Labels:

Regression:
None
Severity:
Moderate
Epic Link:
CRYPTO-12417
sprint_count:
1

Pool Team:

sst_security_crypto
Sub-System Group:

ssg_security

Dev Target Milestone:
24
Internal Target Milestone:
27
Story Points:
3
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
Crypto24Q3

Acceptance Criteria:

Hide

AC1) SEED and DSA are not available anymore and cannot be use din NSS applications.

Show
AC1) SEED and DSA are not available anymore and cannot be use din NSS applications.
Preliminary Testing:
Pass
Test Link:
https://pkgs.devel.redhat.com/cgit/tests/nss/tree/Sanity/RHEL-44995-deprecate-DSA-and-SEED
Errata Link:
https://errata.engineering.redhat.com/advisory/136536
Gating Tests:

Enabled
Test Coverage:

Automated

Release Note Type:
Deprecated Functionality
Release Note Text:

Hide
.DSA and SEED algorithms have been deprecated in NSS

The DSA signing algorithm, which was created by NIST and is now completely deprecated by NIST, is deprecated in the Network Security Services (NSS) cryptographic library. You can instead use algorithms such as RSA, ECDSA, SHB-DSA, ML-DSA, and FN-DSA.

The SEED algorithm, which was created by the Korea Information Security Agency (KISA) and has been previously disabled upstream, is deprecated in the Network Security Services (NSS) cryptographic library.

Show
.DSA and SEED algorithms have been deprecated in NSS The DSA signing algorithm, which was created by NIST and is now completely deprecated by NIST, is deprecated in the Network Security Services (NSS) cryptographic library. You can instead use algorithms such as RSA, ECDSA, SHB-DSA, ML-DSA, and FN-DSA. The SEED algorithm, which was created by the Korea Information Security Agency (KISA) and has been previously disabled upstream, is deprecated in the Network Security Services (NSS) cryptographic library.
Release Note Status:
In Progress

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Several old algorithms that have little to no use and are disabled by default need to be disabled completely:

1) SEED, the former national cipher of Korea. This has been disabled upstream for several years. A single #define in the SPEC file will disable it for NSS.
2) DSA, this is a signing aglorithm, created by NIST and now completely deprecated by NIST in favor of RSA and ECDSA (and eventually SHB-DSA, ML-DSA and FN-DSA). This requires disabling CKM_DSA_XXX in PKCS #11 (under a #define) and including that #define in the SPEC. It will also require dropping or modifying tests in NSS upstream tests of DSA.

NOTE: DSA parameter gen is used extensively in testing of weak Diffie-Helman code (mostly to make sure we properly reject weak Diffie-Helman by default, so it will stay until we deprecate DH.

links to

RHBA-2024:136536 nss bug fix and enhancement update

Assignee:: Robert Relyea

Reporter:: Robert Relyea

Need Info From:: Robert Relyea

Developer:: Robert Relyea

QA Contact:: Ondrej Moris

Doc Contact:: Jan Fiala

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/06/25 3:01 PM

Updated:: 2024/09/26 12:22 PM

Dev Target end:: 2024/08/12

Target end:: 2024/09/02

Details

Description

Attachments

Issue Links

Activity

People

Dates