Ubuntu
opencryptoki package

[UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs

Bug #1854148 reported by bugproxy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
opencryptoki (Ubuntu)
Fix Released
Undecided
Canonical Foundations Team
Xenial
Won't Fix
Undecided
Unassigned
Bionic
Fix Released
Undecided
Brian Murray
Disco
Won't Fix
Undecided
Unassigned
Eoan
Won't Fix
Undecided
Unassigned

Bug Description

SRU Justification:
------------------

[Impact]

 * With commit 2668e8f the contents of attribute CKA_IBM_OPAQUE has been changed to contain the raw EP11 blob directly, no longer wrapped into struct ep11_opaque.

 * The pkcsep11_migrate tool now needs to be corrected in a way that it also expects the raw blob in attribute CKA_IBM_OPAQUE to match what the EP11 token provides.

[Fix]

* 316e35e55b1fe90d963186d54e7d8c4f77ce94ed "pkcsep11_migrate: Fix re-encryption of EP11 key blobs"

[Test Case]

 * An s390x system (LPAR or z/VM) with at least one crypto domain online and a master key set is needed.

 * Install the opencryptoki package on that system, which includes the pkcsep11_migrate tool.

 * Use the pkcsep11_migrate to re-encrypt EP11 token keys in preparation of master keys change in the EP11 adapter.

[Regression Potential]

 * The regression potential can be considered as moderate, since:

 * this is limited to EP11 token keys migration and re-encryption situations

 * and the patch modifies the pkcsep11_migrate utility only, hence will not effect other pkcs* tools

 * and right now the pkcsep11_migrate utility is broken anyway

[Other Info]

 * On top the patch "pkcsep11_migrate: Fix re-encryption of EP11 key blobs" fixes some minor things to make re-encryption really work.
__________

We just released openCryptoki 3.12.1 to fix a bug in the pkcs11_migrate tool.

Change Log:
- Fix pkcsep11_migrate tool

https://github.com/opencryptoki/opencryptoki
https://github.com/opencryptoki/opencryptoki/releases/tag/v3.12.1

Please update the feature request to either..
- include the 3.12.1 bug-fix release ..
- .. or include the following commit on top of 3.12:
https://github.com/opencryptoki/opencryptoki/commit/316e35e55b1fe90d963186d54e7d8c4f77ce94ed
"

This fix is applicable to openCryptoki >= 3.4, which means:

20.04
19.10
18.04
16.04

See original description
bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-182597 severity-high targetmilestone-inin1910
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → opencryptoki (Ubuntu)
Revision history for this message
Frank Heimes (fheimes) wrote :

Since we don't do version bumps on Ubuntu versions that are already released, we will probably just cherry-pick the fix for 19.10, 19.04, 18.04, and 16.04.
20.04 may come with an updated package, like 3.12.1.

Changed in ubuntu-z-systems:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in opencryptoki (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → Canonical Foundations Team (canonical-foundations)
Frank Heimes (fheimes)
description: updated
Revision history for this message
Frank Heimes (fheimes) wrote :

Since Ubuntu 19.04 / Disco reached it's end-of-life on January the 23rd:
https://lists.ubuntu.com/archives/ubuntu-announce/2020-January/000253.html
the entry that marks this ticket as affecting 'Disco' is changed to 'Won't Fix'.

Changed in opencryptoki (Ubuntu Disco):
status: New → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.12.1+dfsg-0ubuntu1

---------------
opencryptoki (3.12.1+dfsg-0ubuntu1) focal; urgency=medium

  * New upstream release LP: #1854148, LP: #1852089, LP: #1850294

 -- Dimitri John Ledkov <email address hidden> Thu, 06 Feb 2020 14:59:50 +0000

Changed in opencryptoki (Ubuntu):
status: New → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Revision history for this message
Frank Heimes (fheimes) wrote :

Changing the Eoan entry to Won't Fix, since Eoan reached it's EOL: https://lists.ubuntu.com/archives/ubuntu-announce/2020-July/000258.html

Changed in opencryptoki (Ubuntu Eoan):
status: New → Won't Fix
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-09-23 02:50 EDT-------
@Canonical. Any update available here, No change since 2020-07-17. Many thx.

Revision history for this message
Brian Murray (brian-murray) wrote :

The referenced commit did not apply cleanly to the version of opencryptoki in Ubuntu 18.04 but I managed to same changes made and have uploaded it to my PPA. Could you please test this version of opencryptoki?

https://launchpad.net/~brian-murray/+archive/ubuntu/ppa/+packages

Changed in opencryptoki (Ubuntu Bionic):
assignee: nobody → Brian Murray (brian-murray)
status: New → In Progress
Matthieu Clemenceau (mclemenceau)
tags: added: fr-763
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-10-16 07:22 EDT-------
Hi Brian,

I started testing on 18.04 and as far as I can see, applying the .deb files went cleanly:

# dpkg -i opencryptoki_3.9.0+dfsg-0ubuntu1.3~ppa2_s390x.deb
(Reading database ... 55068 files and directories currently installed.)
Preparing to unpack opencryptoki_3.9.0+dfsg-0ubuntu1.3~ppa2_s390x.deb ...
Unpacking opencryptoki (3.9.0+dfsg-0ubuntu1.3~ppa2) over (3.9.0+dfsg-0ubuntu1.3~ppa2) ...
Setting up opencryptoki (3.9.0+dfsg-0ubuntu1.3~ppa2) ...
Adding group `pkcs11' (GID 117) ...
Done.
Adding user `root' to group `pkcs11' ...
Adding user root to group pkcs11
Done.
Created symlink /etc/systemd/system/multi-user.target.wants/pkcsslotd.service -> /lib/systemd/system/pkcsslotd.service.
Processing triggers for systemd (237-3ubuntu10.40) ...
Processing triggers for ureadahead (0.100.0-20) ...
Processing triggers for man-db (2.8.3-2) ...

# dpkg -i libopencryptoki-dev_3.9.0+dfsg-0ubuntu1.3~ppa2_s390x.deb
(Reading database ... 55068 files and directories currently installed.)
Preparing to unpack libopencryptoki-dev_3.9.0+dfsg-0ubuntu1.3~ppa2_s390x.deb ...
Unpacking libopencryptoki-dev:s390x (3.9.0+dfsg-0ubuntu1.3~ppa2) over (3.9.0+dfsg-0ubuntu1.3~ppa2) ...
Setting up libopencryptoki-dev:s390x (3.9.0+dfsg-0ubuntu1.3~ppa2) ...

# dpkg -i libopencryptoki0_3.9.0+dfsg-0ubuntu1.3~ppa2_s390x.deb
(Reading database ... 55068 files and directories currently installed.)
Preparing to unpack libopencryptoki0_3.9.0+dfsg-0ubuntu1.3~ppa2_s390x.deb ...
Unpacking libopencryptoki0:s390x (3.9.0+dfsg-0ubuntu1.3~ppa2) over (3.9.0+dfsg-0ubuntu1.3~ppa2) ...
Setting up libopencryptoki0:s390x (3.9.0+dfsg-0ubuntu1.3~ppa2) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...

After applying the .deb files I saw that the ep11token is not available.

When initializing the icatoken I'm getting:

# pkcsconf -I -c 4
error: invalid SEQUENCE
Enter the SO PIN:

Never saw this "invalid SEQUENCE" msg before. But the icatoken appears as initialized after setting the pins.

When trying to invoke the pkcstok_migrate utility, I'm getting:

# pkcstok_migrate
pkcstok_migrate: command not found

Same for the p11sak command that I would use to create some keys.

Any hints what I'm doing probably wrong?

Kind regards, Joerg

Revision history for this message
Brian Murray (brian-murray) wrote :

It seems that the 3.9.0 version of opencryptoki doesn't ship the commands that you are trying to use.

 $ dpkg-deb -c opencryptoki_3.14.0+dfsg-0ubuntu3_s390x.deb | grep sbin
drwxr-xr-x root/root 0 2020-09-17 07:14 ./usr/sbin/
-rwxr-xr-x root/root 34744 2020-09-17 07:14 ./usr/sbin/p11sak
-rwxr-xr-x root/root 88200 2020-09-17 07:14 ./usr/sbin/pkcscca
-rwxr-xr-x root/root 63592 2020-09-17 07:14 ./usr/sbin/pkcsconf
-rwxr-xr-x root/root 38864 2020-09-17 07:14 ./usr/sbin/pkcsep11_migrate
-rwxr-xr-x root/root 47048 2020-09-17 07:14 ./usr/sbin/pkcsep11_session
-rwxr-xr-x root/root 104456 2020-09-17 07:14 ./usr/sbin/pkcsicsf
-rwxr-xr-x root/root 88648 2020-09-17 07:14 ./usr/sbin/pkcsslotd
-rwxr-xr-x root/root 84024 2020-09-17 07:14 ./usr/sbin/pkcstok_migrate

 $ dpkg-deb -c opencryptoki_3.9.0+dfsg-0ubuntu1.2_s390x.deb | grep sbin
drwxr-xr-x root/root 0 2019-08-19 08:46 ./usr/sbin/
-rwxr-xr-x root/root 59792 2019-08-19 08:46 ./usr/sbin/pkcscca
-rwxr-xr-x root/root 51144 2019-08-19 08:46 ./usr/sbin/pkcsconf
-rwxr-xr-x root/root 30800 2019-08-19 08:46 ./usr/sbin/pkcsep11_migrate
-rwxr-xr-x root/root 34888 2019-08-19 08:46 ./usr/sbin/pkcsep11_session
-rwxr-xr-x root/root 71688 2019-08-19 08:46 ./usr/sbin/pkcsicsf
-rwxr-xr-x root/root 118240 2019-08-19 08:46 ./usr/sbin/pkcsslotd

Are these required to verify and fix the bug?

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-10-19 04:02 EDT-------
Hi Brian,
sorry, I mixed up two different utilities: pkcstok_migrate and pkcsep11_migrate. So my installation is ok, but I tried to check the wrong utility. I checked the commit you mentioned and I'll try to develop some testcase to verify that the fix works with your update.
Kind regards, Joerg

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-10-19 07:41 EDT-------
ok, I did some further testing:
- I re-installed a new Ubuntu 18.04.4 to avoid any side-effects with
previously installed code on this test system
- I installed the ep11 host library 3.0.1
- I applied the 3 .deb files again. I had to install libica3 and libtspi1
before as prereqs.
With this setup the ep11token is unavailable due to errors reported from the zFirmware ep11lib.

Brian, can you send me your opencryptoki source that is used to build the ppa? Perhaps I can see more then. And is there a specific reason for not just using our latest upstream code? We just released opencryptoki 3.15 and I wonder why you use 3.9 as the basis for your code ...

Kind regards, Joerg

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

The pool for the ppa is at http://ppa.launchpad.net/brian-murray/ppa/ubuntu/

you can use dget to fetch the source packages; and dpkg-source -x to extract them,

i.e.

dget http://ppa.launchpad.net/brian-murray/ppa/ubuntu/pool/main/o/opencryptoki/opencryptoki_3.9.0+dfsg-0ubuntu1.3~ppa2.dsc

dpkg-source -x opencryptoki_3.9.0+dfsg-0ubuntu1.3~ppa2.dsc

Also note, when testing a PPA, you are not expected to install .deb files by hand, but instead enable PPA and simply upgrade all the packages from it. I.e.

sudo add-apt-repository ppa:brian-murray/ppa
sudo apt update
sudo apt full-upgrade

These intructions are listed on "add this ppa to your system" on the https://launchpad.net/~brian-murray/+archive/ubuntu/ppa

That's more secure than downloading debs, as GPG signatures for the archive are verified & checksums of the debs are validated.

Revision history for this message
Brian Murray (brian-murray) wrote : Re: [Bug 1854148] Comment bridged from LTC Bugzilla

On Mon, Oct 19, 2020 at 11:50:00AM -0000, bugproxy wrote:
> ------- Comment From <email address hidden> 2020-10-19 07:41 EDT-------
> ok, I did some further testing:
> - I re-installed a new Ubuntu 18.04.4 to avoid any side-effects with
> previously installed code on this test system
> - I installed the ep11 host library 3.0.1
> - I applied the 3 .deb files again. I had to install libica3 and libtspi1
> before as prereqs.
> With this setup the ep11token is unavailable due to errors reported from the zFirmware ep11lib.
>
> Brian, can you send me your opencryptoki source that is used to build
> the ppa? Perhaps I can see more then. And is there a specific reason for
> not just using our latest upstream code? We just released opencryptoki
> 3.15 and I wonder why you use 3.9 as the basis for your code ...

3.9 is the major version of opencryptoki in Ubuntu 18.04. We have only
previously done stable release updates of opencryptoki with minimal
changes.

It's also worth noting that Ubuntu 16.04 has version 3.4 of
opencryptoki.

--
Brian Murray

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-10-20 07:44 EDT-------
Brian, thanks for the hint on installing the ppa!
In fact I now have a working opencryptoki 3.9 with the ppa on top, and I see in the source package that the mentioned commit is applied in the ppa. I'm now discussing with a colleague the steps for verifying the correct functionality. I've never used the pkcsep11_migrate utility before, but it looks like I have to setup a new master key inside the HSM (which I think will be the biggest effort), migrate an existing token repository, and finally check if the secure keys in the migrated repository can be used. I'll get you posted when I have any results.
Kind regards, Joerg

Revision history for this message
Brian Murray (brian-murray) wrote :

Do you have any more information about verifying the functionality? I'd like to help get this uploaded to the SRU queue.

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-11-11 03:56 EDT-------
IBM will take a look . Sorry for the delay...

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2020-11-12 11:07 EDT-------
Hello Brian,

Good news: I could verify your ppa successfully. I ran into several problems setting up a test system for this verification, but finally got it to work.

Output from the pkcsep11_migrate utility without your ppa:

# pkcsep11_migrate -slot 4 -adapter 16 -domain 76
Using slot #4...
Enter the USER PIN:
Card ID 0x10, domain ID 76 has committed pending(next) WK
going to reencrpyt key 0 with blob len 0 rsakey
reencryption success obj 0 rsakey
going to reencrpyt key 1 with blob len 30820122300d0609 rsakey
reencrypt cmd block construction failed

Output after I applied the ppa:

# pkcsep11_migrate -slot 4 -adapter 16 -domain 76
Using slot #4...
Enter the USER PIN:
Card ID 0x10, domain ID 76 has committed pending(next) WK
going to reencrpyt key 0 with blob len 970: 'rsakey'
reencryption success obj: 0 rsakey:
going to reencrpyt key 1 with blob len 1a6: 'rsakey'
reencryption success obj: 1 rsakey:
all keys successfully reencrypted

So ok from my side. Sorry for the long delay!
Joerg

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello bugproxy, or anyone else affected,

Accepted opencryptoki into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.9.0+dfsg-0ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in opencryptoki (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-11-26 04:03 EDT-------
Verified successfully on 18.04.5 LTS:

# pkcsep11_migrate -slot 4 -adapter 16 -domain 76
Using slot #4...
Enter the USER PIN:
Card ID 0x10, domain ID 76 has committed pending(next) WK
going to reencrpyt key 0 with blob len 240: 'myeckey'
reencryption success obj: 0 myeckey:
going to reencrpyt key 1 with blob len 970: 'myrsakey'
reencryption success obj: 1 myrsakey:
going to reencrpyt key 2 with blob len db: 'myeckey'
reencryption success obj: 2 myeckey:
going to reencrpyt key 3 with blob len 1a6: 'myrsakey'
reencryption success obj: 3 myrsakey:
all keys successfully reencrypted

Revision history for this message
Frank Heimes (fheimes) wrote :

Thanks for verifying on bionic! I'm adjusting the tags accordingly ...

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Changed in opencryptoki (Ubuntu Xenial):
status: New → Won't Fix
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for opencryptoki has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.9.0+dfsg-0ubuntu1.3

---------------
opencryptoki (3.9.0+dfsg-0ubuntu1.3) bionic; urgency=medium

  * Fix re-encryption of EP11 key blobs. (LP: #1854148)

 -- Brian Murray <email address hidden> Mon, 28 Sep 2020 11:29:31 -0700

Changed in opencryptoki (Ubuntu Bionic):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-12-15 08:28 EDT-------
IBM Bugzilla status->closed. Fix Released for all requested distros

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.