Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-67619

Provide OpenSSL API to get key type + digest verification status according to crypto-policy

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • None
    • openssl
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Crypto24Q4
    • None
    • None
    • None

      Goal

      • When dnssec validator fetches DS signed record, it contains only DNSSEC algorithm number and hash of the key at child zone. We need simple way to query key type + digest type combination on openssl and have a boolean response. If true, the algorithm will very likely work and key should be fetched. If false, consider this algorithm as unsigned or unsupported, no crypto would be tried on children nodes. The result should be drive by crypto-policy setting.
        • It should be possible to disable signing only, but have verification still working for some time. Not all protocols allow negotiation driven by client, DNSSEC is such example. Weak signature is still better than no signature.

      Acceptance criteria

      A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

      • Verify RSA + SHA1 algorithms 5 and 7 in dnssec can query their availability, according to EVP_MD and EVP_PKEY type. Without actually loading EVP_PKEY.
      • Verify signing ability can be separate and different than verification

      https://datatracker.ietf.org/doc/draft-crocker-dnsop-dnssec-algorithm-lifecycle/ were created in reaction to way we have disabled SHA-1. They complain we have skipped phase 6 and got right to 7.

      int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
                                                const char *name, const char *propq);

      This seems to be very close to what I need. But the problem with this is I do not have any pkey to use at that moment. I would have to use something prefabricated, which does not exist in the actual communication. I would need to use custom public key unrelated to query being solved. I do not think that should be required. Can be pkey type specified instead just by type string similar to what EVP_PKEY_CTX_new_from_name(3) uses?

       

      // add something like this
int EVP_PKEY_verify_supports_digest(const char *pkey_type, OSSL_LIB_CTX *libctx,
                                                const char *digest_name, const char *propq);
// This seems existing unused candidate to signal something similar, possibly simpler form.
int EVP_MD_get_pkey_type(const EVP_MD *md);

       

              dbelyavs@redhat.com Dmitry Belyavskiy
              pemensik@redhat.com Petr Mensik
              Dmitry Belyavskiy Dmitry Belyavskiy
              George Pantelakis George Pantelakis
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: