[Bug 1990520] Re: [Ubuntu 22.04] zkey: Fix re-enciphering of EP11 identity key of KMIP plugin

Frank Heimes 1990520 at bugs.launchpad.net
Tue Sep 27 16:37:12 UTC 2022 

** Description changed:

- Description:   
- zkey: Fix re-enciphering of EP11 identity key of KMIP plugin 
+ SRU Justification:
+ ------------------
  
- Symptom:       
+ [ Impact ]
+ 
+  * When re-enciphering the identity key
+    and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher',
+    the operation completes without an error,
+    but the secure keys are left un-reenciphered.
+ 
+  * A subsequent connection attempt with the KMIP server will fail
+    because the identity key is no longer valid.
+ 
+  * The re-enciphered secure key is not copied back into the key token
+ buffer.
+ 
+  * Also, the the public key part,
+    i.e. the MACed SubjectPublicKeyInfo (SPKI) structure
+    must also be re-enciphered (i.e. re-MACed),
+    since the MAC is calculated with the EP11 master key.
+ 
+ [ Fix ]
+ 
+  * 4e2ebe03 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397 "libseckey: Fix re-
+ enciphering of EP11 secure key"
+ 
+ [ Test Plan ]
+ 
+  * An Ubuntu Server 22.04 for s390x installation with a CryptoExpress
+    adapter in EP11 mode and at least one available/online domain is needed.
+ 
+  * Perform a master key change on the EP11 APQNs used with the KMIP
+ plugin.
+ 
+  * The is done indirectly, via libkmipclient, a shared library that
+    provides the KMIP client to communicate with an KMIP server.
+ 
+  * Test will be done by IBM.
+ 
+ [ Where problems could occur ]
+ 
+  * The memcpy, at the beginning and/or at the end or the inserted code
+    could be wrong, and copy wrong contents.
+ 
+  * The newly introduced 're-encipher MACed SPKI' code can be erroneous,
+    which may lead to a non working fix.
+ 
+  * The calculation and handling of the length which could lead to a
+ broken cmdblock.
+ 
+  * Problems could occur in case the re-encryption is done with a different
+    master key compared to the initial encryption,
+    even though if this should be caught as 'CKR_IBM_WKID_MISMATCH'.
+ 
+ [ Other Info ]
+  
+  * The s390-tools version v2.23 in kinetic already incl. this fix,
+    hence it's not affected,
+    nor versions for Ubuntu releases (in service) older than jammy
+    are affected.
+ 
+ __________
+ 
+ Description:
+ zkey: Fix re-enciphering of EP11 identity key of KMIP plugin
+ 
+ Symptom:
  When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid.
  
  Problem:
  The re-enciphered secure key is not copied back into the key token buffer. Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI) structure must also be re-enciphered (i.e. re-MACed), since the MAC is calculated with the EP11 master key.
  
- Solution:      
+ Solution:
  Copy the re-enciphered secure key back into the key token buffer, and also re-encipher the public key part.
  
  Reproduction:  Perform a master key change on the EP11 APQNs used with the
-                KMIP plugin.
+                KMIP plugin.
  
  Problem-ID:    197605
  
  Upstream-ID:   4e2ebe0370d9fb036b7554d5ac5df4418dbe0397
  
  Preventive:    yes
  
  Date:          2022-04-08
  Author:        Ingo Franzki <ifranzki at linux.ibm.com>
  Component:     s390-tools
  
  == Comment: #1 - Ingo Franzki <ifranzki at de.ibm.com> - 2022-04-08 09:57:45 ==
  Upstream commit:
  https://github.com/ibm-s390-linux/s390-tools/commit/4e2ebe0370d9fb036b7554d5ac5df4418dbe0397

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1990520

Title:
  [Ubuntu 22.04] zkey: Fix re-enciphering of EP11 identity key of KMIP
  plugin

Status in Ubuntu on IBM z Systems:
  In Progress
Status in s390-tools package in Ubuntu:
  In Progress
Status in s390-tools-signed package in Ubuntu:
  In Progress

Bug description:
  SRU Justification:
  ------------------

  [ Impact ]

   * When re-enciphering the identity key
     and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher',
     the operation completes without an error,
     but the secure keys are left un-reenciphered.

   * A subsequent connection attempt with the KMIP server will fail
     because the identity key is no longer valid.

   * The re-enciphered secure key is not copied back into the key token
  buffer.

   * Also, the the public key part,
     i.e. the MACed SubjectPublicKeyInfo (SPKI) structure
     must also be re-enciphered (i.e. re-MACed),
     since the MAC is calculated with the EP11 master key.

  [ Fix ]

   * 4e2ebe03 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397 "libseckey: Fix
  re-enciphering of EP11 secure key"

  [ Test Plan ]

   * An Ubuntu Server 22.04 for s390x installation with a CryptoExpress
     adapter in EP11 mode and at least one available/online domain is needed.

   * Perform a master key change on the EP11 APQNs used with the KMIP
  plugin.

   * The is done indirectly, via libkmipclient, a shared library that
     provides the KMIP client to communicate with an KMIP server.

   * Test will be done by IBM.

  [ Where problems could occur ]

   * The memcpy, at the beginning and/or at the end or the inserted code
     could be wrong, and copy wrong contents.

   * The newly introduced 're-encipher MACed SPKI' code can be erroneous,
     which may lead to a non working fix.

   * The calculation and handling of the length which could lead to a
  broken cmdblock.

   * Problems could occur in case the re-encryption is done with a different
     master key compared to the initial encryption,
     even though if this should be caught as 'CKR_IBM_WKID_MISMATCH'.

  [ Other Info ]
   
   * The s390-tools version v2.23 in kinetic already incl. this fix,
     hence it's not affected,
     nor versions for Ubuntu releases (in service) older than jammy
     are affected.

  __________

  Description:
  zkey: Fix re-enciphering of EP11 identity key of KMIP plugin

  Symptom:
  When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid.

  Problem:
  The re-enciphered secure key is not copied back into the key token buffer. Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI) structure must also be re-enciphered (i.e. re-MACed), since the MAC is calculated with the EP11 master key.

  Solution:
  Copy the re-enciphered secure key back into the key token buffer, and also re-encipher the public key part.

  Reproduction:  Perform a master key change on the EP11 APQNs used with the
                 KMIP plugin.

  Problem-ID:    197605

  Upstream-ID:   4e2ebe0370d9fb036b7554d5ac5df4418dbe0397

  Preventive:    yes

  Date:          2022-04-08
  Author:        Ingo Franzki <ifranzki at linux.ibm.com>
  Component:     s390-tools

  == Comment: #1 - Ingo Franzki <ifranzki at de.ibm.com> - 2022-04-08 09:57:45 ==
  Upstream commit:
  https://github.com/ibm-s390-linux/s390-tools/commit/4e2ebe0370d9fb036b7554d5ac5df4418dbe0397

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1990520/+subscriptions

More information about the foundations-bugs mailing list