Test fails on RHEL9 due to sha1 removal about python-fido2 HOT 6 CLOSED

The underlying issue seems to be this: https://lists.fedoraproject.org/archives/list/[email protected]/thread/VVLHQAWI3IQ7NRLKMUHJ27JV3V2JAFDP/

The easiest fix would be to detect this and skip those tests, but it doesn't solve the bigger problem of TPM attestation using SHA1 not being verifiable on RHEL. I'm on vacation this coming week, but will take a look at it when I'm back. In the meantime I'd welcome suggestions on how we should tackle this!

from python-fido2.

You can switch RHEL 9 to still accept SHA-1 by running update-crypto-policies --set DEFAULT:SHA1. Obviously that's a very temporary measure, and won't solve the issue for systems in FIPS mode, for example, which no longer allow SHA-1 in signatures without a toggle to re-enable them.

Given that the writing is on the wall for SHA-1 (https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm), the proper solution is to use a newer digest algorithm where available.

from python-fido2.

It seems to me that the only thing we can do here is to skip the relevant tests if SHA1 is disabled. If you need to validate attestation using SHA1 signatures, then you'll need to use the update-crypto-policies command mentioned above. Unfortunately since we're not creating these signatures, only validating them, there's no way for us to switch algorithms.

from python-fido2.

I pushed a potential fix (to skip the test) here: https://github.com/Yubico/python-fido2/tree/fix/sha1-test-skip

Could someone with RHEL9 verify that it works as intended?

from python-fido2.

The fix has now been released in version 1.1.2. Hopefully that resolves this.

from python-fido2.

LGTM, thanks!

from python-fido2.