Ubuntu
p11-kit package

[22.10 FEAT] [SEC2210] p11-kit: add IBM specific mechanisms and attributes (crypto)

Bug #1982841 reported by bugproxy
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
p11-kit (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Add support for IBM specific attributes and mechanis to the PKCS11 client-server implementation of p11-kit to p11-kit.
This enables customers to access IBM Z HSMs remotely via a PKCS #11 API.

Upstream Target: p11-kit 0.25.0

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-199135 severity-high targetmilestone-inin2210
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
affects: linux (Ubuntu) → p11-kit (Ubuntu)
Revision history for this message
Frank Heimes (fheimes) wrote :

As of today and according to https://github.com/p11-glue/p11-kit/releases
current stable is still 0.24.1.

Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
importance: Undecided → High
Changed in p11-kit (Ubuntu):
importance: Undecided → Medium
status: New → Incomplete
Changed in ubuntu-z-systems:
status: New → Incomplete
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-07-27 02:43 EDT-------
Commits to pick:

https://github.com/p11-glue/p11-kit/commit/4059f174042fc76be0b258b27061e351306a74ff
https://github.com/p11-glue/p11-kit/commit/d07a8ffc0f287bef66295fffcbe9c7ccba711ef0
https://github.com/p11-glue/p11-kit/commit/218e9719b5a47a65fbf6131a5b69825948c1d4e0
https://github.com/p11-glue/p11-kit/commit/c4ade85343b9cbe128e105839e454d2423c00c98
https://github.com/p11-glue/p11-kit/commit/242e5db070f7b17cf3d2e86b40b77f2e999ea3da
https://github.com/p11-glue/p11-kit/commit/ac0da8239de4184dab2d48a4350503ef278db2a4
https://github.com/p11-glue/p11-kit/commit/7235af663b95e3e0a7c035d3de7f26c0c6a4810e
https://github.com/p11-glue/p11-kit/commit/b72aa478baaa29c6ee4342d1a194938590f389df
https://github.com/p11-glue/p11-kit/commit/506b9414999edfc993e9142b4bad068060c587bf
https://github.com/p11-glue/p11-kit/commit/3c0be1d42d0568550797d86355cd03204e4c4eb6
https://github.com/p11-glue/p11-kit/commit/7ea59012c2c81473132211e29ea8ebcc1ce31d09

There is one additional commit (not originated by me) that fixes somethin in the are of IBM vendor mechanisms. You might want to pick that one, too:
https://github.com/p11-glue/p11-kit/commit/7675f8672ffcf7641fd048533747937d30fb8e8e

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Incomplete → New
Changed in p11-kit (Ubuntu):
status: Incomplete → New
Revision history for this message
Frank Heimes (fheimes) wrote (last edit ):

The requested commits/patches were added and test packages '0.24.1-1ubuntu1' were build in PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1982841/+packages

The builds also trigger intensive tests, that were all successful:
Testsuite summary for p11-kit 0.24.1
====================================
# TOTAL: 762
# PASS: 762
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
(https://launchpadlibrarian.net/616683202/buildlog_ubuntu-kinetic-s390x.p11-kit_0.24.1-1ubuntu1_BUILDING.txt.gz)

Attaching a debdiff for kinetic as patch.

Changed in p11-kit (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
status: New → In Progress
Changed in ubuntu-z-systems:
status: New → In Progress
information type: Private → Public
Revision history for this message
Frank Heimes (fheimes) wrote :

Had to re-upload the debdiff - now with fixed URLs in the Origin, section of the DEP3 header.
(Notice the prefix 'new_' in the new version ...)

Revision history for this message
Simon Chopin (schopin) wrote :

Uploaded, thanks :)

Changed in p11-kit (Ubuntu):
status: In Progress → Fix Committed
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package p11-kit - 0.24.1-1ubuntu1

---------------
p11-kit (0.24.1-1ubuntu1) kinetic; urgency=medium

  * Add support for IBM specific attributes and mechanis by adding the
    following upstream commits as quilt patches (LP: #1982841):
    d/p/lp-1982841-Add-IBM-specific-mechanism-and-attributes.patch
    d/p/lp-1982841-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch
    d/p/lp-1982841-client-Allow-zero-part-length-at-C_SignUpdate.patch
    d/p/lp-1982841-Fix-support-of-CKA_DERIVE_TEMPLATE.patch
    d/p/lp-1982841-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch
    d/p/lp-1982841-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch
    d/p/lp-1982841-Add-support-for-MAC-and-HMAC-general-mechanisms.patch
    d/p/lp-1982841-Add-support-for-CKM_DH_PKCS_DERIVE.patch
    d/p/lp-1982841-rpc-Handle-special-cases-for-buffer-and-length.patch
    d/p/lp-1982841-Add-support-for-CKM_AES_CTR.patch
    d/p/lp-1982841-Add-support-for-CKM_AES_GCM.patch
    d/p/lp-1982841-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch

 -- Frank Heimes <email address hidden> Fri, 05 Aug 2022 15:25:36 +0200

Changed in p11-kit (Ubuntu):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.