Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1038683
Summary: | golang appears to contain an ECC implementation | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bill Nottingham <notting> |
Component: | golang | Assignee: | Jakub Čajka <jcajka> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 24 | CC: | adam, admiller, amurdaca, berrange, cben, dcbw, dwalsh, esm, ewolinet, fdeutsch, fweimer, golang-updates, jeffschroeder, jpeeler, jrieden, kstailey, lemenkov, lsm5, me, mitr, nmavrogi, renich, rfontana, rrelyea, rvokal, sct, sforsber, sgrubb, skottler, smahajan, tcallawa, tmraz, vbatts |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | golang-1.2-3.el6 golang-1.7.3-2.fc25 golang-1.5.4-4.fc23 golang-1.6.3-4.fc24 golang-1.7.3-2.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-24 16:29:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 182235, 1019390, 1379484 |
Description
Bill Nottingham
2013-12-05 15:47:27 UTC
This will take a bit of work/consideration on which curves are not allowed. From just stdlib alone, the following libraries import from crypto/elliptic: * crypto/ecdsa * crypto/x509 - also imports from crypto/ecdsa * crypto/tls - also imports from crypto/ecdsa - also imports from crypto/x509 per http://golang.org/src/pkg/crypto/ecdsa/ecdsa.go, the ecdsa implementation is to spec of the Suite B guide for FIPS 186-3 I've pushed a patched build to rawhide, to bake for a bit. http://koji.fedoraproject.org/koji/buildinfo?buildID=485741 golang-1.2-3.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/golang-1.2-3.fc19 golang-1.2-3.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/golang-1.2-3.fc20 golang-1.2-3.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/golang-1.2-3.el6 Package golang-1.2-3.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing golang-1.2-3.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-0257/golang-1.2-3.el6 then log in and leave karma (feedback). golang-1.2-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. golang-1.2-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. golang-1.2-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. Reopening this bug as this patch is now causing docker builds to fail. Can we revisit this decision, has anything changed in the last few years. Can we implement just the elyptical curves that the NSA has licenses for? hack/make.sh dynbinary # WARNING! I don't seem to be running in a Docker container. # The result of this command might be an incorrect build, and will not be # officially supported. # # Try this instead: make all # bundles/1.12.0-dev already exists. Removing. ---> Making bundle: dynbinary (in bundles/1.12.0-dev/dynbinary) Building: bundles/1.12.0-dev/dynbinary-client/docker-1.12.0-dev Created binary: bundles/1.12.0-dev/dynbinary-client/docker-1.12.0-dev Building: bundles/1.12.0-dev/dynbinary-daemon/dockerd-1.12.0-dev # github.com/google/certificate-transparency/go/x509 vendor/src/github.com/google/certificate-transparency/go/x509/x509.go:342: undefined: elliptic.P224 vendor/src/github.com/google/certificate-transparency/go/x509/x509.go:355: undefined: elliptic.P224 vendor/src/github.com/google/certificate-transparency/go/x509/x509.go:1461: undefined: elliptic.P224 [Exit 1] I'm checking into this. if this isn't doable, however we can use this patch: diff --git a/vendor/src/github.com/google/certificate-transparency/go/x509/x509.go b/vendor/src/github.com/google/certificate-transparency/go/x509/x509.go old mode 100755 new mode 100644 index cda7220..d879b91 --- a/vendor/src/github.com/google/certificate-transparency/go/x509/x509.go +++ b/vendor/src/github.com/google/certificate-transparency/go/x509/x509.go @@ -330,7 +330,6 @@ func getPublicKeyAlgorithmFromOID(oid asn1.ObjectIdentifier) PublicKeyAlgorithm // // NB: secp256r1 is equivalent to prime256v1 var ( - oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33} oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7} oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34} oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35} @@ -338,8 +337,6 @@ var ( func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve { switch { - case oid.Equal(oidNamedCurveP224): - return elliptic.P224() case oid.Equal(oidNamedCurveP256): return elliptic.P256() case oid.Equal(oidNamedCurveP384): @@ -352,8 +349,6 @@ func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve { func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) { switch curve { - case elliptic.P224(): - return oidNamedCurveP224, true case elliptic.P256(): return oidNamedCurveP256, true case elliptic.P384(): @@ -1458,7 +1453,7 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub interf hashFunc = crypto.SHA1 case *ecdsa.PrivateKey: switch priv.Curve { - case elliptic.P224(), elliptic.P256(): + case elliptic.P256(): hashFunc = crypto.SHA256 signatureAlgorithm.Algorithm = oidSignatureECDSAWithSHA256 case elliptic.P384(): Any resolution on this? Upstream Kubernetes no longer builds due to the same github.com/google/certificate-transparency/go/x509/x509.go issues. This affects building Google Cloud Print CUPS proxy for Android. Once I patched out the references to elliptic.P224 I was able to build gcp-connector-util and print from my Android smartphone. The NIST P-224 curve is now permissible in Fedora. I'm rebuilding golang to enable it now. This is now done in Fedora 25+. For other branches, I'll leave the changes to the maintainers. golang-1.7.3-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0aae3021b3 golang-1.6.3-4.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0eb27fee7a golang-1.5.4-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-109c7b5f68 golang-1.7.3-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0aae3021b3 golang-1.7.3-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-1300e04b7c golang-1.7.3-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-1300e04b7c golang-1.5.4-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-109c7b5f68 golang-1.6.3-4.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0eb27fee7a golang-1.7.3-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. golang-1.5.4-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. golang-1.6.3-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. golang-1.7.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |