s390-tools/s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
Mark Post efbf0ee8b4 Accepting request 970173 from home:markkp:branches:Base:System
- Added the following patches for bsc#1198285:
  s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch
  s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
  The certificate verification of check_hostkeydoc is too strict and
  doesn't match the checking performed by genprotimg.
- Added the following patch for bsc#1198284:
  s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
  When re-enciphering the identity key and/or wrapping key of the
  zkey KMIP plugin via 'zkey kms reencipher', the operation
  completes without an error, but the secure keys are left 
  un-reenciphered.

OBS-URL: https://build.opensuse.org/request/show/970173
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=131
2022-04-14 13:51:10 +00:00

103 lines
4.2 KiB
Diff

Subject: [PATCH] [BZ 197604] genprotimg/check_hostkeydoc: relax default issuer check
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Description: genprotimg/check_hostkeydoc: cert. verification is too strict
Symptom: Verification failures will occur for newer host key documents
Problem: The certificate verification of check_hostkeydoc is too strict
and doesn't match the checking performed by genprotimg. This
applies to the OU field in the issuer DN of the host key
document. As a consequence verification failures will occur for
host key documents issued for hardware generations newer than
IBM z15.
DigiCert is the CA issuing the signing certificate for Secure
Execution host key documents. This certificate is used for the
verification of the host key document validity. Recently,
DigiCert has changed the root CA certificate used for issuance
of the signing certificates. As genprotimg is checking the CA
serial, the verification of the chain of trust will fail. As a
workaround, it is possible to disable certificate verification,
but this is not recommended because it makes it easier to
provide a fake host key document. Since the previously issued
host key documents are expiring in April 2022, it is necessary
to fix genprotimg to accept the newly issued host key
documents.
Solution: Relax the certificate verification
Reproduction: Use a new host key document
Upstream-ID: 673ff375d939d3cde674f8f99a62d456f8b1673d
Problem-ID: 197604
Upstream-Description:
genprotimg/check_hostkeydoc: relax default issuer check
While the original default issuer's organizationalUnitName (OU)
was defined as "IBM Z Host Key Signing Service", any OU ending
with "Key Signing Service" is considered legal.
Let's relax the default issuer check by stripping off characters
preceding "Key Signing Service".
Signed-off-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Index: s390-tools-service/genprotimg/samples/check_hostkeydoc
===================================================================
--- s390-tools-service.orig/genprotimg/samples/check_hostkeydoc
+++ s390-tools-service/genprotimg/samples/check_hostkeydoc
@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp)
ISSUER_DN_FILE=$(mktemp)
SUBJECT_DN_FILE=$(mktemp)
DEF_ISSUER_DN_FILE=$(mktemp)
+CANONICAL_ISSUER_DN_FILE=$(mktemp)
CRL_SERIAL_FILE=$(mktemp)
# Cleanup on exit
@@ -30,7 +31,7 @@ cleanup()
{
rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \
$ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \
- $CRL_SERIAL_FILE
+ $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE
}
trap cleanup EXIT
@@ -121,20 +122,31 @@ default_issuer()
commonName = International Business Machines Corporation
countryName = US
localityName = Poughkeepsie
- organizationalUnitName = IBM Z Host Key Signing Service
+ organizationalUnitName = Key Signing Service
organizationName = International Business Machines Corporation
stateOrProvinceName = New York
EOF
}
-verify_issuer_files()
+# As organizationalUnitName can have an arbitrary prefix but must
+# end with "Key Signing Service" let's normalize the OU name by
+# stripping off the prefix
+verify_default_issuer()
{
default_issuer > $DEF_ISSUER_DN_FILE
- if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
+ sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \
+ $ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE
+
+ if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
then
echo Incorrect default issuer >&2 && exit 1
fi
+}
+
+verify_issuer_files()
+{
+ verify_default_issuer
if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE
then