[UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
opencryptoki (Ubuntu) |
Fix Released
|
Undecided
|
Canonical Foundations Team | ||
Xenial |
Won't Fix
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Brian Murray | ||
Disco |
Won't Fix
|
Undecided
|
Unassigned | ||
Eoan |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
SRU Justification:
------------------
[Impact]
* With commit 2668e8f the contents of attribute CKA_IBM_OPAQUE has been changed to contain the raw EP11 blob directly, no longer wrapped into struct ep11_opaque.
* The pkcsep11_migrate tool now needs to be corrected in a way that it also expects the raw blob in attribute CKA_IBM_OPAQUE to match what the EP11 token provides.
[Fix]
* 316e35e55b1fe90
[Test Case]
* An s390x system (LPAR or z/VM) with at least one crypto domain online and a master key set is needed.
* Install the opencryptoki package on that system, which includes the pkcsep11_migrate tool.
* Use the pkcsep11_migrate to re-encrypt EP11 token keys in preparation of master keys change in the EP11 adapter.
[Regression Potential]
* The regression potential can be considered as moderate, since:
* this is limited to EP11 token keys migration and re-encryption situations
* and the patch modifies the pkcsep11_migrate utility only, hence will not effect other pkcs* tools
* and right now the pkcsep11_migrate utility is broken anyway
[Other Info]
* On top the patch "pkcsep11_migrate: Fix re-encryption of EP11 key blobs" fixes some minor things to make re-encryption really work.
__________
We just released openCryptoki 3.12.1 to fix a bug in the pkcs11_migrate tool.
Change Log:
- Fix pkcsep11_migrate tool
https:/
https:/
Please update the feature request to either..
- include the 3.12.1 bug-fix release ..
- .. or include the following commit on top of 3.12:
https:/
"
This fix is applicable to openCryptoki >= 3.4, which means:
20.04
19.10
18.04
16.04
tags: | added: architecture-s39064 bugnameltc-182597 severity-high targetmilestone-inin1910 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → opencryptoki (Ubuntu) |
description: | updated |
Changed in ubuntu-z-systems: | |
status: | Triaged → In Progress |
tags: | added: fr-763 |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
Since we don't do version bumps on Ubuntu versions that are already released, we will probably just cherry-pick the fix for 19.10, 19.04, 18.04, and 16.04.
20.04 may come with an updated package, like 3.12.1.