Public bug reported:
Description:
zkey: Fix re-enciphering of EP11 identity key of KMIP plugin
Symptom:
When re-enciphering the identity key and/or wrapping key of the zkey KMIP
plugin via 'zkey kms reencipher', the operation completes without an error, but
the secure keys are left un-reenciphered. A subsequent connection attempt with
the KMIP server will fail because the identity key is no longer valid.
Problem:
The re-enciphered secure key is not copied back into the key token buffer.
Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI)
structure must also be re-enciphered (i.e. re-MACed), since the MAC is
calculated with the EP11 master key.
Solution:
Copy the re-enciphered secure key back into the key token buffer, and also
re-encipher the public key part.
Reproduction: Perform a master key change on the EP11 APQNs used with the
KMIP plugin.
Problem-ID: 197605
Upstream-ID: 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397
Preventive: yes
Date: 2022-04-08
Author: Ingo Franzki <ifran...@linux.ibm.com>
Component: s390-tools
== Comment: #1 - Ingo Franzki <ifran...@de.ibm.com> - 2022-04-08 09:57:45 ==
Upstream commit:
https://github.com/ibm-s390-linux/s390-tools/commit/4e2ebe0370d9fb036b7554d5ac5df4418dbe0397
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Tags: architecture-s39064 bugnameltc-197607 severity-high
targetmilestone-inin---
** Tags added: architecture-s39064 bugnameltc-197607 severity-high
targetmilestone-inin---
** Changed in: ubuntu
Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)
** Package changed: ubuntu => linux (Ubuntu)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1990520
Title:
[Ubuntu 22.04] zkey: Fix re-enciphering of EP11 identity key of KMIP
plugin
Status in linux package in Ubuntu:
New
Bug description:
Description:
zkey: Fix re-enciphering of EP11 identity key of KMIP plugin
Symptom:
When re-enciphering the identity key and/or wrapping key of the zkey KMIP
plugin via 'zkey kms reencipher', the operation completes without an error, but
the secure keys are left un-reenciphered. A subsequent connection attempt with
the KMIP server will fail because the identity key is no longer valid.
Problem:
The re-enciphered secure key is not copied back into the key token buffer.
Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI)
structure must also be re-enciphered (i.e. re-MACed), since the MAC is
calculated with the EP11 master key.
Solution:
Copy the re-enciphered secure key back into the key token buffer, and also
re-encipher the public key part.
Reproduction: Perform a master key change on the EP11 APQNs used with the
KMIP plugin.
Problem-ID: 197605
Upstream-ID: 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397
Preventive: yes
Date: 2022-04-08
Author: Ingo Franzki <ifran...@linux.ibm.com>
Component: s390-tools
== Comment: #1 - Ingo Franzki <ifran...@de.ibm.com> - 2022-04-08 09:57:45 ==
Upstream commit:
https://github.com/ibm-s390-linux/s390-tools/commit/4e2ebe0370d9fb036b7554d5ac5df4418dbe0397
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1990520/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
