search

Yubico / python-fido2

Provides library functionality for FIDO 2.0, including communication with a device over USB.
BSD 2-Clause "Simplified" License
432 stars 109 forks source link

Test fails on RHEL9 due to sha1 removal #182

Closed opoplawski closed 1 year ago

opoplawski commented 1 year ago 
ERROR: test_tpm_windows_hello_attestation (tests.test_attestation.TestAttestationObject)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/python-fido2-1.1.1/tests/test_attestation.py", line 225, in test_tpm_windows_hello_attestation
    res = attestation.verify(statement, auth_data, client_param)
  File "/builddir/build/BUILD/python-fido2-1.1.1/fido2/attestation/base.py", line 89, in inner
    return f(*args, **kwargs)
  File "/builddir/build/BUILD/python-fido2-1.1.1/fido2/attestation/tpm.py", line 576, in verify
    pub_key.verify(cert_info, statement["sig"])
  File "/builddir/build/BUILD/python-fido2-1.1.1/fido2/cose.py", line 266, in verify
    rsa.RSAPublicNumbers(bytes2int(self[-2]), bytes2int(self[-1])).public_key(
  File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 571, in verify
    return _rsa_sig_verify(
  File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 270, in _rsa_sig_verify
    pkey_ctx = _rsa_sig_setup(
  File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 213, in _rsa_sig_setup
    raise UnsupportedAlgorithm(
cryptography.exceptions.UnsupportedAlgorithm: sha1 is not supported by this backend for RSA signing.
dainnilsson commented 1 year ago

The underlying issue seems to be this: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/VVLHQAWI3IQ7NRLKMUHJ27JV3V2JAFDP/

The easiest fix would be to detect this and skip those tests, but it doesn't solve the bigger problem of TPM attestation using SHA1 not being verifiable on RHEL. I'm on vacation this coming week, but will take a look at it when I'm back. In the meantime I'd welcome suggestions on how we should tackle this!

neverpanic commented 1 year ago

You can switch RHEL 9 to still accept SHA-1 by running update-crypto-policies --set DEFAULT:SHA1. Obviously that's a very temporary measure, and won't solve the issue for systems in FIPS mode, for example, which no longer allow SHA-1 in signatures without a toggle to re-enable them.

Given that the writing is on the wall for SHA-1 (https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm), the proper solution is to use a newer digest algorithm where available.

dainnilsson commented 1 year ago

It seems to me that the only thing we can do here is to skip the relevant tests if SHA1 is disabled. If you need to validate attestation using SHA1 signatures, then you'll need to use the update-crypto-policies command mentioned above. Unfortunately since we're not creating these signatures, only validating them, there's no way for us to switch algorithms.

dainnilsson commented 1 year ago

I pushed a potential fix (to skip the test) here: https://github.com/Yubico/python-fido2/tree/fix/sha1-test-skip

Could someone with RHEL9 verify that it works as intended?

dainnilsson commented 1 year ago

The fix has now been released in version 1.1.2. Hopefully that resolves this.

opoplawski commented 1 year ago

LGTM, thanks!