Subject: [PATCH] [BZ 197604] genprotimg/check_hostkeydoc: relax default issuer check From: Marc Hartmayer Description: genprotimg/check_hostkeydoc: cert. verification is too strict Symptom: Verification failures will occur for newer host key documents Problem: The certificate verification of check_hostkeydoc is too strict and doesn't match the checking performed by genprotimg. This applies to the OU field in the issuer DN of the host key document. As a consequence verification failures will occur for host key documents issued for hardware generations newer than IBM z15. DigiCert is the CA issuing the signing certificate for Secure Execution host key documents. This certificate is used for the verification of the host key document validity. Recently, DigiCert has changed the root CA certificate used for issuance of the signing certificates. As genprotimg is checking the CA serial, the verification of the chain of trust will fail. As a workaround, it is possible to disable certificate verification, but this is not recommended because it makes it easier to provide a fake host key document. Since the previously issued host key documents are expiring in April 2022, it is necessary to fix genprotimg to accept the newly issued host key documents. Solution: Relax the certificate verification Reproduction: Use a new host key document Upstream-ID: 673ff375d939d3cde674f8f99a62d456f8b1673d Problem-ID: 197604 Upstream-Description: genprotimg/check_hostkeydoc: relax default issuer check While the original default issuer's organizationalUnitName (OU) was defined as "IBM Z Host Key Signing Service", any OU ending with "Key Signing Service" is considered legal. Let's relax the default issuer check by stripping off characters preceding "Key Signing Service". Signed-off-by: Viktor Mihajlovski Reviewed-by: Marc Hartmayer Signed-off-by: Jan Hoeppner Signed-off-by: Marc Hartmayer Index: s390-tools-service/genprotimg/samples/check_hostkeydoc =================================================================== --- s390-tools-service.orig/genprotimg/samples/check_hostkeydoc +++ s390-tools-service/genprotimg/samples/check_hostkeydoc @@ -23,6 +23,7 @@ BODY_FILE=$(mktemp) ISSUER_DN_FILE=$(mktemp) SUBJECT_DN_FILE=$(mktemp) DEF_ISSUER_DN_FILE=$(mktemp) +CANONICAL_ISSUER_DN_FILE=$(mktemp) CRL_SERIAL_FILE=$(mktemp) # Cleanup on exit @@ -30,7 +31,7 @@ cleanup() { rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \ $ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \ - $CRL_SERIAL_FILE + $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE } trap cleanup EXIT @@ -121,20 +122,31 @@ default_issuer() commonName = International Business Machines Corporation countryName = US localityName = Poughkeepsie - organizationalUnitName = IBM Z Host Key Signing Service + organizationalUnitName = Key Signing Service organizationName = International Business Machines Corporation stateOrProvinceName = New York EOF } -verify_issuer_files() +# As organizationalUnitName can have an arbitrary prefix but must +# end with "Key Signing Service" let's normalize the OU name by +# stripping off the prefix +verify_default_issuer() { default_issuer > $DEF_ISSUER_DN_FILE - if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE + sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \ + $ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE + + if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE then echo Incorrect default issuer >&2 && exit 1 fi +} + +verify_issuer_files() +{ + verify_default_issuer if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE then