From 4ab32070149da7f2b2404d13c3a9107a572134138bb6b090deacc2ff241949c3 Mon Sep 17 00:00:00 2001 From: Mark Post Date: Wed, 5 Oct 2022 16:08:30 +0000 Subject: [PATCH] Accepting request 1008258 from home:markkp:branches:security - Upgrade to version 3.19.0 (jsc#PED-616) + openCryptoki 3.19 - CCA: check for expected master key verification patterns at token init - CCA: check master key verification pattern of created keys to be as expected - EP11: check for expected wrapping key verification pattern at token init - EP11: check wrapping key verification pattern of created keys to be as expected - p11sak/pkcsconf: display PKCS#11 URIs - p11sak: add support for IBM specific Dilithium keys - p11sak: allow to list keys filtered by label - common: add support for dual-function cryptographic functions - Add support for C_SessionCancel function (PKCS#11 v3.0) - EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER) - EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE) - Bug fixes + openCryptoki 3.18 - Default to FIPS compliant token data format (tokversion = 3.12) - Add support for restricting usage of mechanisms and keys via a global policy - Add support for statistics counting of mechanism usage - ICA/EP11: Support libica version 4 - p11sak tool: Allow to set different attributes for public and private keys - Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated version named ocki-3.19-remove-make-install-chgrp.patch to fit the current state of the source. - Removed the following obsolete patches: openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch - Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch for bsc#1202106. One test of the gen_purpose test cases fails with C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token. - Made the following changes for bsc#1199862 "Please install p11sak_defined_attrs.conf." * Replaced ocki-3.11-remove-make-install-chgrp.patch with ocki-3.17-remove-make-install-chgrp.patch to remove the "-g pkcs11" parameter from the install command in the Makefile * Updated the spec file to include /etc/opencryptoki/p11sak_defined_attrs.conf as a %config file with the necessary permissions and group ownership. OBS-URL: https://build.opensuse.org/request/show/1008258 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=124 --- ... ocki-3.19-remove-make-install-chgrp.patch | 33 +++++++--- openCryptoki-3.17.0.tar.gz | 3 - openCryptoki-3.19.0.tar.gz | 3 + ...pecify-OID-of-key-strength-at-key-ge.patch | 56 ---------------- ...-EP11-Fix-host-library-version-query.patch | 66 ------------------- openCryptoki.changes | 50 ++++++++++++++ openCryptoki.spec | 16 +++-- 7 files changed, 87 insertions(+), 140 deletions(-) rename ocki-3.11-remove-make-install-chgrp.patch => ocki-3.19-remove-make-install-chgrp.patch (66%) delete mode 100644 openCryptoki-3.17.0.tar.gz create mode 100644 openCryptoki-3.19.0.tar.gz delete mode 100644 openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch delete mode 100644 openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch diff --git a/ocki-3.11-remove-make-install-chgrp.patch b/ocki-3.19-remove-make-install-chgrp.patch similarity index 66% rename from ocki-3.11-remove-make-install-chgrp.patch rename to ocki-3.19-remove-make-install-chgrp.patch index 98d4c46..13dde2e 100644 --- a/ocki-3.11-remove-make-install-chgrp.patch +++ b/ocki-3.19-remove-make-install-chgrp.patch @@ -1,6 +1,6 @@ ---- opencryptoki-3.11.0/Makefile.am 2018-11-16 09:53:03.000000000 -0500 -+++ opencryptoki-3.11.0/Makefile.am 2018-11-16 10:28:35.114837306 -0500 -@@ -51,24 +51,18 @@ +--- opencryptoki-3.19.0/Makefile.am 2022-09-30 03:45:52.000000000 -0400 ++++ opencryptoki-3.19.0/Makefile.am 2022-09-30 15:28:53.032877773 -0400 +@@ -61,12 +61,9 @@ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_cca.so PKCS11_CCA.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ @@ -11,8 +11,9 @@ $(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok - $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ccatok $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok - endif - if ENABLE_EP11TOK + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/cca_stdll/ccatok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || true +@@ -75,12 +72,9 @@ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_ep11.so PKCS11_EP11.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ @@ -25,7 +26,14 @@ $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || true -@@ -78,24 +72,18 @@ +@@ -88,30 +82,24 @@ + endif + if ENABLE_P11SAK + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g pkcs11 -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true + endif + if ENABLE_ICATOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_ica.so PKCS11_ICA.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ @@ -50,7 +58,7 @@ $(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok endif if ENABLE_TPMTOK -@@ -103,10 +91,8 @@ +@@ -119,10 +107,8 @@ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_tpm.so PKCS11_TPM.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm @@ -61,7 +69,7 @@ $(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm endif if ENABLE_ICSFTOK -@@ -114,10 +100,8 @@ +@@ -130,16 +116,14 @@ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_icsf.so PKCS11_ICSF.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf @@ -72,7 +80,14 @@ $(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf endif if ENABLE_DAEMON -@@ -139,7 +123,6 @@ + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g pkcs11 -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true + if ENABLE_SYSTEMD + mkdir -p $(DESTDIR)/usr/lib/tmpfiles.d + cp $(srcdir)/misc/tmpfiles.conf $(DESTDIR)/usr/lib/tmpfiles.d/opencryptoki.conf +@@ -156,7 +140,6 @@ @echo "Remember you must run ldconfig before using the above settings" @echo "--------------------------------------------------------------" $(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) diff --git a/openCryptoki-3.17.0.tar.gz b/openCryptoki-3.17.0.tar.gz deleted file mode 100644 index 40fcc94..0000000 --- a/openCryptoki-3.17.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:785596925738855b33b29bdff2399f613b892e7c6000d9ffbf79fe32c2aeaeee -size 1290050 diff --git a/openCryptoki-3.19.0.tar.gz b/openCryptoki-3.19.0.tar.gz new file mode 100644 index 0000000..0f24747 --- /dev/null +++ b/openCryptoki-3.19.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d8646fd5502bbcf6debc89e76ce064198272cbc5856baa8d350056abe5bdf14 +size 1371265 diff --git a/openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch b/openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch deleted file mode 100644 index 324366a..0000000 --- a/openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch +++ /dev/null @@ -1,56 +0,0 @@ -From a431e3742a1bdac515d0b491e77caeeb44720354 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Tue, 1 Feb 2022 13:50:18 +0100 -Subject: [PATCH 1/2] EP11: Dilithium: Specify OID of key strength at key - generation - -Newer EP11 firmware versions require that the OID of the desired -Dilithium key strength is specified with attribute CKA_IBM_PQC_PARAMS -at key generation. Older firmware versions ignore this attribute. - -Signed-off-by: Ingo Franzki ---- - usr/lib/ep11_stdll/ep11_specific.c | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index 75fd46a5..4ca9678a 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -6347,6 +6347,8 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t * tokdata, - CK_ULONG new_publ_attrs_len = 0, new_priv_attrs_len = 0; - CK_ATTRIBUTE *new_publ_attrs2 = NULL, *new_priv_attrs2 = NULL; - CK_ULONG new_publ_attrs2_len = 0, new_priv_attrs2_len = 0; -+ const CK_BYTE dilithium_oid[] = { 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, 0x01, -+ 0x02, 0x82, 0x0b, 0x01, 0x06, 0x05 }; - - UNUSED(h); - -@@ -6371,6 +6373,24 @@ static CK_RV ibm_dilithium_generate_keypair(STDLL_TokData_t * tokdata, - goto error; - } - -+ rc = add_to_attribute_array(&new_publ_attrs, &new_publ_attrs_len, -+ CKA_IBM_PQC_PARAMS, (CK_BYTE *)dilithium_oid, -+ sizeof(dilithium_oid)); -+ if (rc != CKR_OK) { -+ TRACE_ERROR("%s add_to_attribute_array failed with rc=0x%lx\n", -+ __func__, rc); -+ goto error; -+ } -+ -+ rc = add_to_attribute_array(&new_priv_attrs, &new_priv_attrs_len, -+ CKA_IBM_PQC_PARAMS,(CK_BYTE *)dilithium_oid, -+ sizeof(dilithium_oid)); -+ if (rc != CKR_OK) { -+ TRACE_ERROR("%s add_to_attribute_array failed with rc=0x%lx\n", -+ __func__, rc); -+ goto error; -+ } -+ - rc = check_key_attributes(tokdata, ktype, CKO_PUBLIC_KEY, - new_publ_attrs, new_publ_attrs_len, - &new_publ_attrs2, &new_publ_attrs2_len, -1); --- -2.16.2.windows.1 - diff --git a/openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch b/openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch deleted file mode 100644 index c64cfda..0000000 --- a/openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 20f401a98d5c06648f5dd6ea62aa82f86662d90c Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Tue, 8 Mar 2022 15:01:24 +0100 -Subject: [PATCH 2/2] EP11: Fix host library version query - -Look at release and modification level, not just the modification level. -Release and modification level are encoded into the one byte minor -field of a CK_VERSION. The high order 4 bits are the release number, the -low order 4 bits the modification level. - -This allows host library version checks for release and modification levels. - -Signed-off-by: Ingo Franzki ---- - usr/lib/ep11_stdll/ep11_specific.c | 19 ++++++++++++++++--- - 1 file changed, 16 insertions(+), 3 deletions(-) - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index 4ca9678a..2d7581fa 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -2588,9 +2588,10 @@ CK_RV ep11tok_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber, - goto error; - } - -- TRACE_INFO("%s Host library version: %d.%d\n", __func__, -+ TRACE_INFO("%s Host library version: %d.%d.%d\n", __func__, - ep11_data->ep11_lib_version.major, -- ep11_data->ep11_lib_version.minor); -+ (ep11_data->ep11_lib_version.minor & 0xF0) >> 4, -+ (ep11_data->ep11_lib_version.minor & 0x0F)); - - rc = refresh_target_info(tokdata); - if (rc != CKR_OK) { -@@ -11289,8 +11290,19 @@ static CK_RV ep11tok_get_ep11_library_version(CK_VERSION *lib_version) - rc); - return rc; - } -+ TRACE_DEVEL("%s host_version=0x08%x\n", __func__, host_version); - lib_version->major = (host_version & 0x00FF0000) >> 16; -- lib_version->minor = host_version & 0x000000FF; -+ /* Minor is 4 bits release number and 4 bits modification level */ -+ lib_version->minor = (host_version & 0x00000F00) >> 4 | -+ (host_version & 0x0000000F); -+ if ((host_version & 0x0000F000) != 0) { -+ lib_version->minor |= 0xF0; -+ TRACE_DEVEL("%s relelase > 15, treating as 15\n", __func__); -+ } -+ if ((host_version & 0x000000F0) != 0) { -+ lib_version->minor |= 0x0F; -+ TRACE_DEVEL("%s modification level > 15, treating as 15\n", __func__); -+ } - /* - * EP11 host library < v2.0 returns an invalid version (i.e. 0x100). This - * can safely be treated as version 1.0 -@@ -11399,6 +11411,7 @@ CK_RV ep11tok_copy_firmware_info(STDLL_TokData_t *tokdata, - if (target_info->card_versions != NULL) - pInfo->hardwareVersion = target_info->card_versions->firmware_version; - pInfo->firmwareVersion = ep11_data->ep11_lib_version; -+ pInfo->firmwareVersion.minor >>= 4; /* report release, skip mod-level */ - memcpy(pInfo->serialNumber, target_info->serialNumber, - sizeof(pInfo->serialNumber)); - --- -2.16.2.windows.1 - diff --git a/openCryptoki.changes b/openCryptoki.changes index b77388a..8d63fd4 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -1,3 +1,53 @@ +------------------------------------------------------------------- +Fri Sep 30 19:14:38 UTC 2022 - Mark Post + +- Upgrade to version 3.19.0 (jsc#PED-616) + + openCryptoki 3.19 + - CCA: check for expected master key verification patterns at token init + - CCA: check master key verification pattern of created keys to be as expected + - EP11: check for expected wrapping key verification pattern at token init + - EP11: check wrapping key verification pattern of created keys to be as expected + - p11sak/pkcsconf: display PKCS#11 URIs + - p11sak: add support for IBM specific Dilithium keys + - p11sak: allow to list keys filtered by label + - common: add support for dual-function cryptographic functions + - Add support for C_SessionCancel function (PKCS#11 v3.0) + - EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER) + - EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE) + - Bug fixes + + openCryptoki 3.18 + - Default to FIPS compliant token data format (tokversion = 3.12) + - Add support for restricting usage of mechanisms and keys via a global policy + - Add support for statistics counting of mechanism usage + - ICA/EP11: Support libica version 4 + - p11sak tool: Allow to set different attributes for public and private keys +- Replaced ocki-3.17-remove-make-install-chgrp.patch with an updated + version named ocki-3.19-remove-make-install-chgrp.patch to fit + the current state of the source. +- Removed the following obsolete patches: + openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch + openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch + ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch + +------------------------------------------------------------------- +Wed Aug 10 16:34:10 UTC 2022 - Mark Post + +- Added ocki-3.17-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch + for bsc#1202106. One test of the gen_purpose test cases fails with + C_GetMechanismList #2 rc=CKR_BUFFER_TOO_SMALL" error on the EP11 Token. + +------------------------------------------------------------------- +Thu Jun 2 16:21:54 UTC 2022 - Mark Post + +- Made the following changes for bsc#1199862 "Please install + p11sak_defined_attrs.conf." + * Replaced ocki-3.11-remove-make-install-chgrp.patch with + ocki-3.17-remove-make-install-chgrp.patch to remove the + "-g pkcs11" parameter from the install command in the Makefile + * Updated the spec file to include + /etc/opencryptoki/p11sak_defined_attrs.conf as a %config file + with the necessary permissions and group ownership. + ------------------------------------------------------------------- Wed Mar 23 15:32:25 UTC 2022 - Mark Post diff --git a/openCryptoki.spec b/openCryptoki.spec index ac44808..742b6bd 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -26,7 +26,7 @@ %define oc_cvs_tag opencryptoki Name: openCryptoki -Version: 3.17.0 +Version: 3.19.0 Release: 0 Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware License: CPL-1.0 @@ -38,9 +38,7 @@ Source2: openCryptoki-TFAQ.html Source3: openCryptoki-rpmlintrc # Patch 1 is needed because group pkcs11 doesn't exist in the build environment # and because we don't want(?) various file and directory permissions to be 0700. -Patch1: ocki-3.11-remove-make-install-chgrp.patch -Patch2: openCryptoki-sles15-sp4-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch -Patch3: openCryptoki-sles15-sp4-EP11-Fix-host-library-version-query.patch +Patch1: ocki-3.19-remove-make-install-chgrp.patch BuildRequires: bison BuildRequires: dos2unix BuildRequires: flex @@ -130,8 +128,6 @@ Cryptographic Accelerator (FC 4960 on pSeries). %prep %setup -q -n %{oc_cvs_tag}-%{version} %patch1 -p1 -%patch2 -p1 -%patch3 -p1 cp %{SOURCE2} . @@ -230,10 +226,16 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A %files %doc openCryptoki-TFAQ.html FAQ %doc doc/* +%dir %{_datadir}/doc/opencryptoki +%{_datadir}/doc/opencryptoki/policy-example.conf +%{_datadir}/doc/opencryptoki/strength-example.conf # configuration directory %dir %{_sysconfdir}/opencryptoki %config %{_sysconfdir}/opencryptoki/opencryptoki.conf +%config %{_sysconfdir}/opencryptoki/strength.conf +%config %attr(640,root,pkcs11) %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf %ifarch s390 s390x +%config %{_sysconfdir}/opencryptoki/ccatok.conf %config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf %config %{_sysconfdir}/opencryptoki/ep11tok.conf %{_sbindir}/pkcsep11_migrate @@ -250,6 +252,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A %{_sbindir}/pkcsslotd %{_sbindir}/pkcsconf %{_sbindir}/pkcsicsf +%{_sbindir}/pkcsstats %{_sbindir}/pkcstok_migrate %dir %{_libdir}/opencryptoki %dir %{_libdir}/opencryptoki/stdll @@ -276,6 +279,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A %dir %{_libdir}/opencryptoki %dir %{_libdir}/opencryptoki/stdll %{_includedir}/opencryptoki +%{_libdir}/pkgconfig/opencryptoki.pc %ifarch %{openCryptoki_32bit_arch} %files 32bit