EC keys do not provide OSSL_PKEY_PARAM_MANDATORY_DIGEST

Fixed and tested package available on ubuntu/jammy on Salsa: https://salsa.debian.org/debian/tpm2-openssl/-/tree/ubuntu/jammy

Also prepared and tested an ubuntu/kinetic branch on Salsa, ready for sponsor upload: https://salsa.debian.org/debian/tpm2-openssl/-/tree/ubuntu/kinetic

Hello Jim, or anyone else affected,

Accepted tpm2-openssl into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tpm2-openssl/1.1.0-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Jim, or anyone else affected,

Accepted tpm2-openssl into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/tpm2-openssl/1.0.1-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Tested 1.0.1-1ubuntu0.1 in Jammy, fixes the issue for me.

Luca, thank you for driving this bug to help make Ubuntu better.

We've released regressions in the past due to miscommunication about exactly what was tested and how it was tested, resulting in untested updates being released. So I ask that you please be explicit about this, rather than just flipping the bug tags.

If you say you followed the test plan in the bug description and state what specific package versions you tested (preferably by copy and pasting the package version string from your test environment), then I'm happy to take your word for that. But to avoid the risk of repeating past accidents, I'm not willing to release these updates until you actually state that please. Specifically: 1) what package version was tested; 2) what tests were carried out (just a reference to the bug description is fine if that's what you did); 3) what the test results were (presumably, they passed?).

This should be in each of the three relevant bugs (as the test plans in each are presumably distinct). Here are links for your convenience:

https://launchpad.net/bugs/1970999
https://launchpad.net/bugs/1971000
https://launchpad.net/bugs/1996498

Thanks again for contributing to Ubuntu on this!

I have done the same tests as jammy on a kinetic image, these issues are fixed there too. I ran the check from the bug description, and verified it works on kinetic (package version 1.1.0-2ubuntu0.1 from proposed) and on jammy (package version 1.0.1-1ubuntu0.1 from proposed).

Hi,

I had left a comment on
https://bugs.launchpad.net/ubuntu/+source/tpm2-openssl/+bug/1970999
but didn't duplicate it on the other 2, as I've handled them all
together.
I've now expanded the comment and replicated it across all 3 bugs.

On Wed, 4 Jan 2023 at 15:13, Robie Basak <email address hidden> wrote:
>
> Luca, thank you for driving this bug to help make Ubuntu better.
>
> We've released regressions in the past due to miscommunication about
> exactly what was tested and how it was tested, resulting in untested
> updates being released. So I ask that you please be explicit about this,
> rather than just flipping the bug tags.
>
> If you say you followed the test plan in the bug description and state
> what specific package versions you tested (preferably by copy and
> pasting the package version string from your test environment), then I'm
> happy to take your word for that. But to avoid the risk of repeating
> past accidents, I'm not willing to release these updates until you
> actually state that please. Specifically: 1) what package version was
> tested; 2) what tests were carried out (just a reference to the bug
> description is fine if that's what you did); 3) what the test results
> were (presumably, they passed?).
>
> This should be in each of the three relevant bugs (as the test plans in
> each are presumably distinct). Here are links for your convenience:
>
> https://launchpad.net/bugs/1970999
> https://launchpad.net/bugs/1971000
> https://launchpad.net/bugs/1996498
>
> Thanks again for contributing to Ubuntu on this!
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1971000
>
> Title:
> EC keys do not provide OSSL_PKEY_PARAM_MANDATORY_DIGEST
>
> Status in tpm2-openssl package in Ubuntu:
> Fix Released
> Status in tpm2-openssl source package in Jammy:
> Fix Committed
> Status in tpm2-openssl source package in Kinetic:
> Fix Committed
> Status in tpm2-openssl source package in Lunar:
> Fix Released
>
> Bug description:
> [ Impact ]
> Mandatory digest is not provided by the library
>
> [ Test Plan ]
> The upstream fix includes a test script:
>
> https://github.com/tpm2-software/tpm2-openssl/blob/5f55ad3f7fee12201187a29b648e4bc571bcf9fa/test/ec_createak_x509_cms.sh
>
> [ Where problems could occur ]
> The fix adds a small change in the core of the library, so basic functionality like signing might be affected. However, the fix has been upstream and released for half a year and no regressions have been reported.
>
> [ Original Description ]
> $ lsb_release -rd
> Description: Ubuntu 22.04 LTS
> Release: 22.04
>
> $ apt-cache policy tpm2-openssl
> tpm2-openssl:
> Installed: 1.0.1-1
> Candidate: 1.0.1-1
> Version table:
> *** 1.0.1-1 500
> 500 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages
> 100 /var/lib/dpkg/status
>
> Please see: https://github.com/tpm2-software/tpm2-openssl/issues/34
>
> Essentially, any mandatory digest in a public key is ignored by
> tpm2-openssl.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source...

This bug was fixed in the package tpm2-openssl - 1.1.0-2ubuntu0.1

---------------
tpm2-openssl (1.1.0-2ubuntu0.1) kinetic; urgency=medium

  * Backport patch to make EC keys provide
    OSSL_PKEY_PARAM_MANDATORY_DIGEST (LP: #1971000)
  * Backport patch to fix using tpm2-openssl on Azure (LP: #1996498)
  * Backport patches to fix loading certificates from NVM (LP: #1970999)

 -- Luca Boccassi <email address hidden> Tue, 06 Dec 2022 14:30:58 +0000

The verification of the Stable Release Update for tpm2-openssl has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package tpm2-openssl - 1.0.1-1ubuntu0.1

---------------
tpm2-openssl (1.0.1-1ubuntu0.1) jammy; urgency=medium

  * Backport patch to make EC keys provide
    OSSL_PKEY_PARAM_MANDATORY_DIGEST (LP: #1971000)
  * Backport patch to fix using tpm2-openssl on Azure (LP: #1996498)
  * Backport patches to fix loading certificates from NVM (LP: #1970999)

 -- Luca Boccassi <email address hidden> Mon, 05 Dec 2022 20:14:05 +0000