[Bug 1990520] Re: [Ubuntu 22.04] zkey: Fix re-enciphering of EP11 identity key of KMIP plugin

Frank Heimes 1990520 at bugs.launchpad.net
Tue Sep 27 14:39:30 UTC 2022 

The debdiff for the s390-tools and s390-tools-signed packages for this
bug LP#1990520 as well as for LP#1990524 (all in one) are attached here.

(I do not subscribe the ubuntu-sponsors yet, since I want to wait until
2.20.0-0ubuntu3.2 is completed - so far it's still unapproved in jammy's
upload queue.)

** Attachment added: "debdiffs.tgz"
   https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1990520/+attachment/5619462/+files/debdiffs.tgz

** Changed in: s390-tools-signed (Ubuntu)
       Status: New => In Progress

** Changed in: s390-tools (Ubuntu)
       Status: New => In Progress

** Changed in: ubuntu-z-systems
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1990520

Title:
  [Ubuntu 22.04] zkey: Fix re-enciphering of EP11 identity key of KMIP
  plugin

Status in Ubuntu on IBM z Systems:
  In Progress
Status in s390-tools package in Ubuntu:
  In Progress
Status in s390-tools-signed package in Ubuntu:
  In Progress

Bug description:
  Description:   
  zkey: Fix re-enciphering of EP11 identity key of KMIP plugin 

  Symptom:       
  When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid.

  Problem:
  The re-enciphered secure key is not copied back into the key token buffer. Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI) structure must also be re-enciphered (i.e. re-MACed), since the MAC is calculated with the EP11 master key.

  Solution:      
  Copy the re-enciphered secure key back into the key token buffer, and also re-encipher the public key part.

  Reproduction:  Perform a master key change on the EP11 APQNs used with the
                 KMIP plugin.

  Problem-ID:    197605

  Upstream-ID:   4e2ebe0370d9fb036b7554d5ac5df4418dbe0397

  Preventive:    yes

  Date:          2022-04-08
  Author:        Ingo Franzki <ifranzki at linux.ibm.com>
  Component:     s390-tools

  == Comment: #1 - Ingo Franzki <ifranzki at de.ibm.com> - 2022-04-08 09:57:45 ==
  Upstream commit:
  https://github.com/ibm-s390-linux/s390-tools/commit/4e2ebe0370d9fb036b7554d5ac5df4418dbe0397

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1990520/+subscriptions

More information about the foundations-bugs mailing list