[Bug 1968259] Re: [UBUNTU 20.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools)

Frank Heimes 1968259 at bugs.launchpad.net
Fri Apr 8 16:55:35 UTC 2022 

** Merge proposal linked:
   https://code.launchpad.net/~fheimes/ubuntu/+source/s390-tools-signed/+git/s390-tools-signed/+merge/419135

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1968259

Title:
  [UBUNTU 20.04] check_hostkeydoc is checking the certificate issuer too
  strictly (s390-tools)

Status in Ubuntu on IBM z Systems:
  New
Status in s390-tools package in Ubuntu:
  In Progress
Status in s390-tools-signed package in Ubuntu:
  In Progress
Status in s390-tools source package in Focal:
  New
Status in s390-tools-signed source package in Focal:
  New
Status in s390-tools source package in Impish:
  New
Status in s390-tools-signed source package in Impish:
  New
Status in s390-tools source package in Jammy:
  In Progress
Status in s390-tools-signed source package in Jammy:
  In Progress

Bug description:
  == Comment: #0 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 09:16:49 ==
  The s390-tools script check_hostkeydoc can be used to perform the verification of the chain of trust for Secure Execution host key documents.
  The certificate verification is however too strict and doesn't match the checking performed by genprotimg.
  Affected is the OU field in the issuer DN of the host key document. As a consequence, verification failures will occur for host key documents issued for newer hardware generations like IBM z16.

  == Comment: #1 - Viktor Mihajlovski <MIHAJLOV at de.ibm.com> - 2022-04-07 09:18:08 ==
  Fixed by:

  https://github.com/ibm-s390-linux/s390-tools

  commit 673ff375d939d3cde674f8f99a62d456f8b1673d
  Author: Viktor Mihajlovski <mihajlov at linux.ibm.com>
  Date:   Tue Mar 15 12:55:02 2022 +0100

      genprotimg/check_hostkeydoc: relax default issuer check

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1968259/+subscriptions

More information about the Ubuntu-sponsors mailing list