[Bug 1968259] Re: [UBUNTU 21.10 / 22.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools)

Fri May 6 19:27:13 UTC 2022

Hello bugproxy, or anyone else affected,

Accepted s390-tools into impish-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/s390-tools/2.17.0-0ubuntu2.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
impish to verification-done-impish. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-impish. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: s390-tools (Ubuntu Impish)
       Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-impish

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1968259

Title:
  [UBUNTU 21.10 / 22.04] check_hostkeydoc is checking the certificate
  issuer too strictly (s390-tools)

Status in Ubuntu on IBM z Systems:
  In Progress
Status in s390-tools package in Ubuntu:
  Fix Released
Status in s390-tools-signed package in Ubuntu:
  Fix Committed
Status in s390-tools source package in Impish:
  Fix Committed
Status in s390-tools-signed source package in Impish:
  In Progress
Status in s390-tools source package in Jammy:
  Fix Released
Status in s390-tools-signed source package in Jammy:
  Fix Released

Bug description:
  SRU Justification:
  ==================

  [Impact]

   * The s390-tools script check_hostkeydoc can be used to perform the
     verification of the chain of trust for Secure Execution host key documents.

   * The certificate verification is however too strict and doesn't match the
     checking performed by the genprotimg tool.

   * Affected is the OU field in the issuer DN of the host key document.
     As a consequence, verification failures will occur for host key documents
     issued for newer hardware generations like IBM z16.

   * While the original default issuer's organizationalUnitName (OU)
    was defined as "IBM Z Host Key Signing Service", any OU ending
    with "Key Signing Service" is considered legal by this fix/commit.

   * So the default issuer check got relaxed by stripping off characters
    preceding "Key Signing Service".

  [Fix]

   * 673ff37 673ff375d939d3cde674f8f99a62d456f8b1673d
  ("genprotimg/check_hostkeydoc: relax default issuer check")

  [Test Plan]

   * The usage of secure execution is nicely documented at the
     'Introducing IBM Secure Execution for Linux' docs.
     https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
     Relevant for this fix is paragraph 'Verifying the host key document'
     https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document

   * Especially notice the 'About this task' section that references the
     check_hostkeydoc script to perform the verification steps.

   + Due to the fact that Secure Execution requires z15 as a minimal
     hardware level, the testing is done by IBM.

  [Where problems could occur]

   * Problem can occur in the check_hostkeydoc helper script only.

   * The script cane become broken at all and may refuse to properly verify
     even valid signed keys.

   * The sed statement in the script might be wrong and  cut out a wrong
     organizationalUnitName.

   * And since this is a helper script and the verification can also be done
     without this script, the risk is not too high.

   * A verification can be done based with check_hostkeydoc and with the manual
     steps (with a valid and invalid signed key) to validate equal results.

   * The modification are relatively straight-formward:
     https://github.com/ibm-s390-linux/s390-tools/commit/673ff375d939d3cde674f8f99a62d456f8b1673d

   * And overall this is an s390x topic only, and even there only relevant for
     Secure Execution (KVM) TEE environments only.

  [Other Info]

   * This does not affect focal (like initiall indicated),
     since focal's s390-tools version does not include the 
     check_hostkeydoc file.

  __________

  == Comment: #0 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 09:16:49 ==
  The s390-tools script check_hostkeydoc can be used to perform the verification of the chain of trust for Secure Execution host key documents.
  The certificate verification is however too strict and doesn't match the checking performed by genprotimg.
  Affected is the OU field in the issuer DN of the host key document. As a consequence, verification failures will occur for host key documents issued for newer hardware generations like IBM z16.

  == Comment: #1 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 09:18:08 ==
  Fixed by:

  https://github.com/ibm-s390-linux/s390-tools

  commit 673ff375d939d3cde674f8f99a62d456f8b1673d
  Author: Viktor Mihajlovski <mihajlov at linux.ibm.com>
  Date:   Tue Mar 15 12:55:02 2022 +0100

      genprotimg/check_hostkeydoc: relax default issuer check

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1968259/+subscriptions