• crypto-policies-20240802-1.git8cb6f2d.el10
    • No
    • None
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 24
    • 30
    • 5
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q3
    • Hide

      AC1) NSS generated policy allows the following:

      • LEGACY: rc2-40-cbc, des-cbc, rc2-64-cbc,
        rc2-128-cbc, des-ede3-cbc, aes128-cbc, aes256-cbc                 
      • DEFAULT: des-ede3-cbc, aes128-cbc,
        aes256-cbc, rc2-*-cbc/legacy
      • FUTURE: aes128-cbc. aes256-cbc,
        des-ede3-cbc/legacy                 
      • FIPS: aes128-cbc, aes256-cbc

      AC2) it's documented that @pkcs12 is currently only respected by nss

      AC3) Is is possible to control pkcs12 import/export controls by pkcs12 scope in NSS (only).

      Show
      AC1) NSS generated policy allows the following: LEGACY: rc2-40-cbc, des-cbc, rc2-64-cbc, rc2-128-cbc, des-ede3-cbc, aes128-cbc, aes256-cbc                  DEFAULT: des-ede3-cbc, aes128-cbc, aes256-cbc, rc2-*-cbc/legacy FUTURE: aes128-cbc. aes256-cbc, des-ede3-cbc/legacy                  FIPS: aes128-cbc, aes256-cbc AC2) it's documented that @pkcs12 is currently only respected by nss AC3) Is is possible to control pkcs12 import/export controls by pkcs12 scope in NSS (only).
    • Pass
    • Not Needed
    • Manual
    • Enhancement
    • Hide
      .The `DEFAULT` cryptographic policy uses additional scopes

      The `crypto-policies` package now offers additional scopes `@pkcs12`, `@pkcs12-legacy`, `@smime`, and `@smime-legacy`, and uses them in the `DEFAULT` system-wide cryptographic policy. The selection of cryptographic algorithms used for PKCS #12 and S/MIME when network security services (NSS) is the underlying cryptographic library now follows system-wide cryptographic policies. Therefore, you can more easily select algorithms with higher granularity by using custom policies and subpolicies. The scopes use the following ciphers, hashes, and key exchanges:

      ----
      cipher@pkcs12 = AES-256-CBC AES-128-CBC
      cipher@pkcs12-import = 3DES-CBC+ RC2-CBC+
      cipher@smime = AES-256-CBC AES-128-CBC 3DES-CBC
      cipher@smime-import = RC2-CBC+
      hash@{pkcs12,smime} = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 \
      SHA2-224 SHA3-224
      hash@{pkcs12-import,smime} = SHA1+
      key_exchange@smime = RSA DH ECDH
      ----

      The `LEGACY` cryptographic policy uses a less strict selection of ciphers, hashes, and key exchanges than the `DEFAULT` policy, whereas the `FUTURE` policy is stricter. As a result, you can customize the algorithms used in NSS for importing and exporting PKCS #12 files and S/MIME encryption and decryption. NSS is currently the only cryptographic library linked to the newly offered scopes.
      Show
      .The `DEFAULT` cryptographic policy uses additional scopes The `crypto-policies` package now offers additional scopes `@pkcs12`, `@pkcs12-legacy`, `@smime`, and `@smime-legacy`, and uses them in the `DEFAULT` system-wide cryptographic policy. The selection of cryptographic algorithms used for PKCS #12 and S/MIME when network security services (NSS) is the underlying cryptographic library now follows system-wide cryptographic policies. Therefore, you can more easily select algorithms with higher granularity by using custom policies and subpolicies. The scopes use the following ciphers, hashes, and key exchanges: ---- cipher@pkcs12 = AES-256-CBC AES-128-CBC cipher@pkcs12-import = 3DES-CBC+ RC2-CBC+ cipher@smime = AES-256-CBC AES-128-CBC 3DES-CBC cipher@smime-import = RC2-CBC+ hash@{pkcs12,smime} = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 \ SHA2-224 SHA3-224 hash@{pkcs12-import,smime} = SHA1+ key_exchange@smime = RSA DH ECDH ---- The `LEGACY` cryptographic policy uses a less strict selection of ciphers, hashes, and key exchanges than the `DEFAULT` policy, whereas the `FUTURE` policy is stricter. As a result, you can customize the algorithms used in NSS for importing and exporting PKCS #12 files and S/MIME encryption and decryption. NSS is currently the only cryptographic library linked to the newly offered scopes.
    • Done
    • None

      NSS 3.101 rebase brought in new pkcs12 import/export controls that fail closed. In 8 and 9 we patch it back,
      in 10 we'd better control that through crypto-policies using `cipher@pkcs12` syntax.

      Expectations:
      LEGACY: import/export works for every previously supported algorithm
      DEFAULT: export: only AES with SHA-2 PRF and SHA-2 MAC or SHA-2 PBMAC1; import: same as for export + 3DES + RC2 + SHA-1 PRF and MAC
      FIPS: import/export: only AES with SHA-2 PRF and SHA-2 PBMAC1; test if SHA-2 MAC work, if they do: document that it's not compliant
      FUTURE: same as FIPS but SHA-2 MAC can work

      + the change is limited to adding <algname>/pkcs12 and <algname>/pkcs12-legacy to allow= of NSS (Sanity/retention)
      + it's documented that @pkcs12 is currently only respected by nss

              asosedki@redhat.com Alexander Sosedkin
              asosedki@redhat.com Alexander Sosedkin
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: