s390-tools/s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch

Subject: [PATCH] [BZ 197604] genprotimg/check_hostkeydoc: relax default issuer check
From: Marc Hartmayer <mhartmay@linux.ibm.com>

Description:   genprotimg/check_hostkeydoc: cert. verification is too strict
Symptom:       Verification failures will occur for newer host key documents
Problem:       The certificate verification of check_hostkeydoc is too strict
               and doesn't match the checking performed by genprotimg. This
               applies to the OU field in the issuer DN of the host key
               document. As a consequence verification failures will occur for
               host key documents issued for hardware generations newer than
               IBM z15.
               
               DigiCert is the CA issuing the signing certificate for Secure
               Execution host key documents. This certificate is used for the
               verification of the host key document validity. Recently,
               DigiCert has changed the root CA certificate used for issuance
               of the signing certificates.  As genprotimg is checking the CA
               serial, the verification of the chain of trust will fail. As a
               workaround, it is possible to disable certificate verification,
               but this is not recommended because it makes it easier to
               provide a fake host key document. Since the previously issued
               host key documents are expiring in April 2022, it is necessary
               to fix genprotimg to accept the newly issued host key
               documents.
Solution:      Relax the certificate verification
Reproduction:  Use a new host key document
Upstream-ID:   673ff375d939d3cde674f8f99a62d456f8b1673d
Problem-ID:    197604

Upstream-Description:

              genprotimg/check_hostkeydoc: relax default issuer check

              While the original default issuer's organizationalUnitName (OU)
              was defined as "IBM Z Host Key Signing Service", any OU ending
              with "Key Signing Service" is considered legal.

              Let's relax the default issuer check by stripping off characters
              preceding "Key Signing Service".

              Signed-off-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
              Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
              Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>


Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Index: s390-tools-service/genprotimg/samples/check_hostkeydoc
===================================================================
--- s390-tools-service.orig/genprotimg/samples/check_hostkeydoc
+++ s390-tools-service/genprotimg/samples/check_hostkeydoc
@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp)
 ISSUER_DN_FILE=$(mktemp)
 SUBJECT_DN_FILE=$(mktemp)
 DEF_ISSUER_DN_FILE=$(mktemp)
+CANONICAL_ISSUER_DN_FILE=$(mktemp)
 CRL_SERIAL_FILE=$(mktemp)
 
 # Cleanup on exit
@@ -30,7 +31,7 @@ cleanup()
 {
     rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \
         $ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \
-        $CRL_SERIAL_FILE
+        $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE
 }
 trap cleanup EXIT
 
@@ -121,20 +122,31 @@ default_issuer()
     commonName                = International Business Machines Corporation
     countryName               = US
     localityName              = Poughkeepsie
-    organizationalUnitName    = IBM Z Host Key Signing Service
+    organizationalUnitName    = Key Signing Service
     organizationName          = International Business Machines Corporation
     stateOrProvinceName       = New York
 EOF
 }
 
-verify_issuer_files()
+# As organizationalUnitName can have an arbitrary prefix but must
+# end with "Key Signing Service" let's normalize the OU name by
+# stripping off the prefix
+verify_default_issuer()
 {
     default_issuer > $DEF_ISSUER_DN_FILE
 
-    if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
+    sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \
+	$ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE
+
+    if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
     then
         echo Incorrect default issuer >&2 && exit 1
     fi
+}
+
+verify_issuer_files()
+{
+    verify_default_issuer
 
     if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE
     then
Accepting request 970173 from home:markkp:branches:Base:System - Added the following patches for bsc#1198285: s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch The certificate verification of check_hostkeydoc is too strict and doesn't match the checking performed by genprotimg. - Added the following patch for bsc#1198284: s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. OBS-URL: https://build.opensuse.org/request/show/970173 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=131 2022-04-14 15:51:10 +02:00			`Subject: [PATCH] [BZ 197604] genprotimg/check_hostkeydoc: relax default issuer check`
			`From: Marc Hartmayer <mhartmay@linux.ibm.com>`

			`Description: genprotimg/check_hostkeydoc: cert. verification is too strict`
			`Symptom: Verification failures will occur for newer host key documents`
			`Problem: The certificate verification of check_hostkeydoc is too strict`
			`and doesn't match the checking performed by genprotimg. This`
			`applies to the OU field in the issuer DN of the host key`
			`document. As a consequence verification failures will occur for`
			`host key documents issued for hardware generations newer than`
			`IBM z15.`

			`DigiCert is the CA issuing the signing certificate for Secure`
			`Execution host key documents. This certificate is used for the`
			`verification of the host key document validity. Recently,`
			`DigiCert has changed the root CA certificate used for issuance`
			`of the signing certificates. As genprotimg is checking the CA`
			`serial, the verification of the chain of trust will fail. As a`
			`workaround, it is possible to disable certificate verification,`
			`but this is not recommended because it makes it easier to`
			`provide a fake host key document. Since the previously issued`
			`host key documents are expiring in April 2022, it is necessary`
			`to fix genprotimg to accept the newly issued host key`
			`documents.`
			`Solution: Relax the certificate verification`
			`Reproduction: Use a new host key document`
			`Upstream-ID: 673ff375d939d3cde674f8f99a62d456f8b1673d`
			`Problem-ID: 197604`

			`Upstream-Description:`

			`genprotimg/check_hostkeydoc: relax default issuer check`

			`While the original default issuer's organizationalUnitName (OU)`
			`was defined as "IBM Z Host Key Signing Service", any OU ending`
			`with "Key Signing Service" is considered legal.`

			`Let's relax the default issuer check by stripping off characters`
			`preceding "Key Signing Service".`

			`Signed-off-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>`
			`Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>`
			`Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>`


			`Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>`
			`Index: s390-tools-service/genprotimg/samples/check_hostkeydoc`
			`===================================================================`
			`--- s390-tools-service.orig/genprotimg/samples/check_hostkeydoc`
			`+++ s390-tools-service/genprotimg/samples/check_hostkeydoc`
			`@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp)`
			`ISSUER_DN_FILE=$(mktemp)`
			`SUBJECT_DN_FILE=$(mktemp)`
			`DEF_ISSUER_DN_FILE=$(mktemp)`
			`+CANONICAL_ISSUER_DN_FILE=$(mktemp)`
			`CRL_SERIAL_FILE=$(mktemp)`

			`# Cleanup on exit`
			`@@ -30,7 +31,7 @@ cleanup()`
			`{`
			`rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \`
			`$ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \`
			`- $CRL_SERIAL_FILE`
			`+ $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE`
			`}`
			`trap cleanup EXIT`

			`@@ -121,20 +122,31 @@ default_issuer()`
			`commonName = International Business Machines Corporation`
			`countryName = US`
			`localityName = Poughkeepsie`
			`- organizationalUnitName = IBM Z Host Key Signing Service`
			`+ organizationalUnitName = Key Signing Service`
			`organizationName = International Business Machines Corporation`
			`stateOrProvinceName = New York`
			`EOF`
			`}`

			`-verify_issuer_files()`
			`+# As organizationalUnitName can have an arbitrary prefix but must`
			`+# end with "Key Signing Service" let's normalize the OU name by`
			`+# stripping off the prefix`
			`+verify_default_issuer()`
			`{`
			`default_issuer > $DEF_ISSUER_DN_FILE`

			`- if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE`
			`+ sed "s/\(^[ ]organizationalUnitName[ ]=[ ]\).\(Key Signing Service$\)/\1\2/" \`
			`+ $ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE`
			`+`
			`+ if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE`
			`then`
			`echo Incorrect default issuer >&2 && exit 1`
			`fi`
			`+}`
			`+`
			`+verify_issuer_files()`
			`+{`
			`+ verify_default_issuer`

			`if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE`
			`then`