Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: Generate New Ti...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-10.0
Affects Version/s: rhel-10.0
Component/s: oqsprovider
Labels:
- Accepted
- CY25Q1

Regression:
No
Severity:
Moderate
Epic Link:
CRYPTO-15338
sprint_count:
1

AssignedTeam:
rhel-security-crypto
Sub-System Group:

ssg_security

Internal Target Milestone:
26
Story Points:
0.5
ACKs Check:

QE ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
Crypto25Q1

Acceptance Criteria:

Hide

AC1: when ML-KEM-512, ML-KEM-768, and ML-KEM-1024 keys are written to files, they use OIDs specified in https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration
AC2: the private keys are stored as specified in https://datatracker.ietf.org/doc/html/draft-ietf-lamps-kyber-certificates-04, but with the value actually being a concatenation of expanded private key and public key

Show
AC1: when ML-KEM-512, ML-KEM-768, and ML-KEM-1024 keys are written to files, they use OIDs specified in https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration AC2: the private keys are stored as specified in https://datatracker.ietf.org/doc/html/draft-ietf-lamps-kyber-certificates-04 , but with the value actually being a concatenation of expanded private key and public key
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/139689
Gating Tests:

Needed
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

oqsprovider supports hybrid KEMs which we need for TLS (and maybe for other protocols), but without official OIDs for them, we shouldn't allow serialisation of them.

At the same time, pure ML-KEM does have specified OIDs: https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration so we shouldn't remove support for serialisation, but we will need to figure out when to switch to final OIDs.

links to

RHBA-2024:139689 oqsprovider bug fix and enhancement update

Assignee:: Alicja Kario

Reporter:: Alicja Kario

Developer:: Dmitry Belyavskiy

QA Contact:: Alicja Kario

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/10/24 3:00 PM

Updated:: 2025/05/13 12:31 PM

Resolved:: 2025/05/13 12:31 PM

Target end:: 2025/02/17

Next Planned Release Date:: 2025/05/13

Release Date:: 2025/05/13

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates