Use SHA-256 instead of SHA-1 for PKINIT CMS digest

CMS digest and signature algorithm for the anonymous PKINIT is changed from SHA-1 to SHA-256. SHA-1 hasn't been considered secure anymore for this kind of purposes for some years already. Resolves: rhbz#2067121 Signed-off-by: Julien Rische <jrische@redhat.com>
2022-03-23 11:30:21 +01:00 · 2022-03-23 11:30:21 +01:00 · 2ef37ab30d
commit 2ef37ab30d
parent 970430cbff
2 changed files with 118 additions and 1 deletions
--- a/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
+++ b/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
@ -0,0 +1,113 @@
+From 538be893707e2306e89f5e5ca92c0db0ee305e3e Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Fri, 11 Mar 2022 11:33:56 +0100
+Subject: [PATCH] Use SHA-256 instead of SHA-1 for PKINIT CMS digest
+
+Various organizations including NIST have been strongly recommending to
+stop using SHA-1 for digital signatures for some years already. CMS
+digest is used to generate such signatures, hence it should be upgraded
+to use SHA-256.
+---
+ .../preauth/pkinit/pkinit_crypto_openssl.c    | 27 ++++++++++---------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+index 42e5c581d..2a6ef4aaa 100644
+--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+@@ -1240,7 +1240,7 @@ cms_signeddata_create(krb5_context context,
+         /* will not fill-out EVP_PKEY because it's on the smartcard */
+ 
+         /* Set digest algs */
+-        p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha1);
+        p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha256);
+ 
+         if (p7si->digest_alg->parameter != NULL)
+             ASN1_TYPE_free(p7si->digest_alg->parameter);
+@@ -1251,17 +1251,17 @@ cms_signeddata_create(krb5_context context,
+         /* Set sig algs */
+         if (p7si->digest_enc_alg->parameter != NULL)
+             ASN1_TYPE_free(p7si->digest_enc_alg->parameter);
+-        p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha1WithRSAEncryption);
+        p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha256WithRSAEncryption);
+         if (!(p7si->digest_enc_alg->parameter = ASN1_TYPE_new()))
+             goto cleanup;
+         p7si->digest_enc_alg->parameter->type = V_ASN1_NULL;
+ 
+         /* add signed attributes */
+-        /* compute sha1 digest over the EncapsulatedContentInfo */
+        /* compute sha256 digest over the EncapsulatedContentInfo */
+         ctx = EVP_MD_CTX_new();
+         if (ctx == NULL)
+             goto cleanup;
+-        EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+        EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
+         EVP_DigestUpdate(ctx, data, data_len);
+         md_tmp = EVP_MD_CTX_md(ctx);
+         EVP_DigestFinal_ex(ctx, md_data, &md_len);
+@@ -1289,9 +1289,10 @@ cms_signeddata_create(krb5_context context,
+             goto cleanup2;
+ 
+ #ifndef WITHOUT_PKCS11
+-        /* Some tokens can only do RSAEncryption without sha1 hash */
+-        /* to compute sha1WithRSAEncryption, encode the algorithm ID for the hash
+-         * function and the hash value into an ASN.1 value of type DigestInfo
+        /* Some tokens can only do RSAEncryption without sha256 hash */
+        /* to compute sha256WithRSAEncryption, encode the algorithm ID for the
+         * hash function and the hash value into an ASN.1 value of type
+         * DigestInfo
+          * DigestInfo::=SEQUENCE {
+          *  digestAlgorithm  AlgorithmIdentifier,
+          *  digest OCTET STRING }
+@@ -1310,7 +1311,7 @@ cms_signeddata_create(krb5_context context,
+             alg = X509_ALGOR_new();
+             if (alg == NULL)
+                 goto cleanup2;
+-            X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL);
+            X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha256), V_ASN1_NULL, NULL);
+             alg_len = i2d_X509_ALGOR(alg, NULL);
+ 
+             digest = ASN1_OCTET_STRING_new();
+@@ -1339,7 +1340,7 @@ cms_signeddata_create(krb5_context context,
+ #endif
+         {
+             pkiDebug("mech = %s\n",
+-                     id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA1_RSA_PKCS" : "FS");
+                     id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA256_RSA_PKCS" : "FS");
+             retval = pkinit_sign_data(context, id_cryptoctx, abuf, alen,
+                                       &sig, &sig_len);
+         }
+@@ -4189,7 +4190,7 @@ create_signature(unsigned char **sig, unsigned int *sig_len,
+     ctx = EVP_MD_CTX_new();
+     if (ctx == NULL)
+         return ENOMEM;
+-    EVP_SignInit(ctx, EVP_sha1());
+    EVP_SignInit(ctx, EVP_sha256());
+     EVP_SignUpdate(ctx, data, data_len);
+     *sig_len = EVP_PKEY_size(pkey);
+     if ((*sig = malloc(*sig_len)) == NULL)
+@@ -4663,10 +4664,10 @@ pkinit_get_certs_pkcs11(krb5_context context,
+ 
+ #ifndef PKINIT_USE_MECH_LIST
+     /*
+-     * We'd like to use CKM_SHA1_RSA_PKCS for signing if it's available, but
+     * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
+      * many cards seems to be confused about whether they are capable of
+      * this or not. The safe thing seems to be to ignore the mechanism list,
+-     * always use CKM_RSA_PKCS and calculate the sha1 digest ourselves.
+     * always use CKM_RSA_PKCS and calculate the sha256 digest ourselves.
+      */
+ 
+     id_cryptoctx->mech = CKM_RSA_PKCS;
+@@ -4694,7 +4695,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
+         if (mechp[i] == CKM_RSA_PKCS) {
+             /* This seems backwards... */
+             id_cryptoctx->mech =
+-                (info.flags & CKF_SIGN) ? CKM_SHA1_RSA_PKCS : CKM_RSA_PKCS;
+                (info.flags & CKF_SIGN) ? CKM_SHA256_RSA_PKCS : CKM_RSA_PKCS;
+         }
+     }
+     free(mechp);
+-- 
+2.35.1
+
--- a/krb5.spec
+++ b/krb5.spec
@ -42,7 +42,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.19.2
-Release: %{?zdpd}6%{?dist}
+Release: %{?zdpd}7%{?dist}

 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@ -94,6 +94,7 @@ Patch33: Use-OpenSSL-s-SSKDF-in-PKINIT-when-available.patch
 Patch34: Use-OpenSSL-s-KBKDF-and-KRB5KDF-for-deriving-long-te.patch
 Patch35: Handle-OpenSSL-3-s-providers.patch
 Patch36: Remove-TCL-based-libkadm5-API-tests.patch
+Patch37: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch

 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@ -643,6 +644,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Wed Mar 23 2022 Julien Rische <jrische@redhat.com> - 1.19.2-7
+- Use SHA-256 instead of SHA-1 for PKINIT CMS digest
+
 * Tue Feb  8 2022 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.19.2-6
 - Drop old trigger scriplet
 - Reenable package notes and strip LDFLAGS from krb5-config (rhbz#2048909)