[Bug 1982842] Re: [22.10 FEAT] [SEC2209] openCryptoki: PKCS #11 3.1 - support CKA_DERIVE_TEMPLATE

Frank Heimes 1982842 at bugs.launchpad.net
Wed Aug 17 16:40:42 UTC 2022


Ok, so that is what I did to solve this:
I created the following quilt patch:
lp-1982842-move-pkcs11-group-assigment-from-makefile-to-postinst.patch
that removes " -g pkcs11" for p11sak_defined_attrs.conf and strength.conf from Makefile.am
and does the pkcs11 group assinment instead in the postinst script:

In addition I've added "/etc/opencryptoki/p11sak_defined_attrs.conf"
and "/etc/opencryptoki/strength.conf" to the debian/opencryptoki.install(.s390x) file(s)
to get them incl. in the packages.

The changelog was expanded with:
    - Assign pkcs11 group to p11sak_defined_attrs.conf and strength.conf
      in debian/opencryptoki.postinst rather than of Makefile.am
      to solve "invalid group ‘pkcs11’" issues during build.
      Also extend debian/opencryptoki.install and
      debian/opencryptoki.install.s390x to pick up
      /etc/opencryptoki/p11sak_defined_attrs.conf and
      /etc/opencryptoki/strength.conf.

I did a PPA test build (on all major architectures):
https://launchpad.net/~fheimes/+archive/ubuntu/lp1982842-2nd
and also a package install test (amd64 and s390x).
Looks like this on a target system:
# ls -l /etc/opencryptoki/
total 12
-rw-r--r-- 1 root root   773 Aug 15 10:29 opencryptoki.conf
-rw-r--r-- 1 root pkcs11 584 Aug 15 10:29 p11sak_defined_attrs.conf
-rw-r--r-- 1 root pkcs11 866 Aug 15 10:29 strength.conf

Please see attached the updated / new debdiff.

** Patch added: "new_debdiff_opencryptoki_kinetic_from_3.17.0+dfsg+20220202.b40982e-0ubuntu2_to_3.18.0+dfsg-0ubuntu1.diff"
   https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1982842/+attachment/5609367/+files/new_debdiff_opencryptoki_kinetic_from_3.17.0+dfsg+20220202.b40982e-0ubuntu2_to_3.18.0+dfsg-0ubuntu1.diff

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1982842

Title:
  [22.10 FEAT] [SEC2209] openCryptoki: PKCS #11 3.1 - support
  CKA_DERIVE_TEMPLATE

Status in Ubuntu on IBM z Systems:
  In Progress
Status in opencryptoki package in Ubuntu:
  In Progress

Bug description:
  Support the new attribute CKA_DERIVE_TEMPLATE introduced with PKCS #11
  v 3.1

  Upstream Target: openCryptoki 3.18.0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1982842/+subscriptions




More information about the Ubuntu-sponsors mailing list