group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Frank Heimes <1854148@xxxxxxxxxxxxxxxxxx>
Date: Mon, 14 Dec 2020 19:25:12 -0000
Reply-to: Bug 1854148 <1854148@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: ubuntu-z-systems
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1854148

Title:
  [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key
  blobs

Status in Ubuntu on IBM z Systems:
  Fix Released
Status in opencryptoki package in Ubuntu:
  Fix Released
Status in opencryptoki source package in Xenial:
  Won't Fix
Status in opencryptoki source package in Bionic:
  Fix Released
Status in opencryptoki source package in Disco:
  Won't Fix
Status in opencryptoki source package in Eoan:
  Won't Fix

Bug description:
  SRU Justification:
  ------------------

  [Impact]

   * With commit 2668e8f the contents of attribute CKA_IBM_OPAQUE has
  been changed to contain the raw EP11 blob directly, no longer wrapped
  into struct ep11_opaque.

   * The pkcsep11_migrate tool now needs to be corrected in a way that
  it also expects the raw blob in attribute CKA_IBM_OPAQUE to match what
  the EP11 token provides.

  [Fix]

  * 316e35e55b1fe90d963186d54e7d8c4f77ce94ed "pkcsep11_migrate: Fix re-
  encryption of EP11 key blobs"

  [Test Case]

   * An s390x system (LPAR or z/VM) with at least one crypto domain
  online and a master key set is needed.

   * Install the opencryptoki package on that system, which includes the
  pkcsep11_migrate tool.

   * Use the pkcsep11_migrate to re-encrypt EP11 token keys in
  preparation of master keys change in the EP11 adapter.

  [Regression Potential]

   * The regression potential can be considered as moderate, since:

   * this is limited to EP11 token keys migration and re-encryption
  situations

   * and the patch modifies the pkcsep11_migrate utility only, hence
  will not effect other pkcs* tools

   * and right now the pkcsep11_migrate utility is broken anyway

  [Other Info]
   
   * On top the patch "pkcsep11_migrate: Fix re-encryption of EP11 key blobs" fixes some minor things to make re-encryption really work.
  __________

  We just released openCryptoki 3.12.1 to fix a bug in the
  pkcs11_migrate tool.

  Change Log:
  - Fix pkcsep11_migrate tool

  https://github.com/opencryptoki/opencryptoki
  https://github.com/opencryptoki/opencryptoki/releases/tag/v3.12.1

  Please update the feature request to either..
  - include the 3.12.1 bug-fix release ..
  - .. or include the following commit on top of 3.12:
  https://github.com/opencryptoki/opencryptoki/commit/316e35e55b1fe90d963186d54e7d8c4f77ce94ed
  "

  This fix is applicable to openCryptoki >= 3.4, which means:

  20.04
  19.10
  18.04
  16.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions