[Bug 1990524] Re: [Ubuntu 22.04] zkey: KMIP plugin fails to connection to KMIP server

Frank Heimes 1990524 at bugs.launchpad.net
Tue Sep 27 14:41:59 UTC 2022 

This bug will be fixed as part of LP#1990520.
So please see https://bugs.launchpad.net/bugs/1990520 (comment #2)
for the debdiffs.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1990524

Title:
  [Ubuntu 22.04] zkey: KMIP plugin fails to connection to KMIP server

Status in Ubuntu on IBM z Systems:
  New
Status in s390-tools package in Ubuntu:
  New
Status in s390-tools-signed package in Ubuntu:
  New

Bug description:
  Description:   zkey: KMIP plugin fails to connection to KMIP server

  Symptom:       
  When a zkey key repository is bound to the KMIP plugin, and the connection to the KMIP server is to be configired using command 'zkey kms configure --kmip-server <server>', it fails to connect to the specified KMIP server. 

  Problem:       
  When trying to establish a TSL connection to the KMIP server, the KMIP client sets up an OpenSSL SSL context with its certificate and its private key (which is a secure key) using OpenSSL function SSL_CTX_use_PrivateKey(). When running with OpenSSL 3.0, This calls the secure key provider's match function to check if the private key specified matches the public key of the certificate using EVP_PKEY_eq(). EVP_PKEY_eq() includes the private key into the selector bits for the match call, although the certificate only contains the public key part.
  OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the OpenSSL provider's keymgmt_match() function to be not so strict with the selector bits in regards to matching different key parts.
  This means, that if the public key is selected to be matched, and the public key matches (together with any also selected parameters), then the private key is no longer checked, although it may also be selected to be matched. This is according to how the OpenSSL function EVP_PKEY_eq() is supposed to behave.

  Solution:      
  Adapt the secure key provider's match function to behave like the match functions of the providers coming with OpenSSL.

  Reproduction:  Configure a connection to a KMIP server on a system that comes
                 with OpenSSL 3.0.

  Problem-ID:    198268
  Preventive:    yes

  Upstream-ID:   6c5c5f7e558c114ddaa475e96c9ec708049aa423

  Date:          2022-05-17
  Author:        Ingo Franzki <ifranzki at linux.ibm.com>
  Component:     s390-tools

  == Comment: #1 - Ingo Franzki <ifranzki at de.ibm.com> - 2022-05-17 07:40:03 ==
  Upstream commit: https://github.com/ibm-s390-linux/s390-tools/commit/6c5c5f7e558c114ddaa475e96c9ec708049aa423

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1990524/+subscriptions

More information about the foundations-bugs mailing list