Ubuntu
opencryptoki package

[22.10 FEAT] [SEC2209] openCryptoki: PKCS #11 3.1 - support CKA_DERIVE_TEMPLATE

Bug #1982842 reported by bugproxy
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
opencryptoki (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Support the new attribute CKA_DERIVE_TEMPLATE introduced with PKCS #11 v 3.1

Upstream Target: openCryptoki 3.18.0

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-199134 severity-high targetmilestone-inin2210
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
affects: linux (Ubuntu) → opencryptoki (Ubuntu)
Revision history for this message
Frank Heimes (fheimes) wrote :

I've remembered and noticed that v3.18.0 was released on Apr 25.
Meanwhile a lot of commits were accepted in master on top of 3.18 and a lot of them seem to be bug fixes.
So I think there is not much value to version bump the opencryptoki version for kinetic (22.10) to just 3.18.
Hence let me please ask if you aware if there is another release of opencryptoki planned (even a minor release) that would allow us to pick that in time for the kinetic feature freeze?
(FF is on Aug 25th but there are a few days needed on top for preparation - https://discourse.ubuntu.com/t/kinetic-kudu-release-schedule/)

Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
importance: Undecided → High
Changed in opencryptoki (Ubuntu):
importance: Undecided → High
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-07-27 02:38 EDT-------
I don't think that there will be a release before August 25.
As always, plans are subject to change.....

Revision history for this message
Frank Heimes (fheimes) wrote :

After a quick discussion the approach for kinetic will be to bump the opencryptoki version to 3.18 and add one important patch (b545050) on top.

I've updated the version of a test package to 3.18+ and did a PPA test build here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1982842

No symbols update.

Attached the debdiff.

The opencryptoki reverse dependencies are:
$ reverse-depends -a source src:opencryptoki
Reverse-Build-Depends
* simple-tpm-pk11 (for libopencryptoki-dev)
* tpm-tools (for libopencryptoki-dev)

information type: Private → Public
Changed in opencryptoki (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
status: New → In Progress
Changed in ubuntu-z-systems:
status: New → In Progress
Revision history for this message
Frank Heimes (fheimes) wrote :

Test rebuilds against the reverse dependent packages are now done as well:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1982842

Revision history for this message
Simon Chopin (schopin) wrote :

Funny thing: the package FTBFS on my laptop, even in a clean sbuild. It turns out that there are some configuration files that are only installed in debian/tmp if there's a 'pkcs11' unix group present on the builder, which evidently isn't the case on the LP builders.

That doesn't seem ideal to me :/

Look for p11sak_defined_attrs.conf in the build logs.

We might want to patch out the group assignment in the upstream build script, and adjust the permissions in the postinst script, as is already done for other files. Could you take care of that?

Revision history for this message
Frank Heimes (fheimes) wrote :

Ok, so that is what I did to solve this:
I created the following quilt patch:
lp-1982842-move-pkcs11-group-assigment-from-makefile-to-postinst.patch
that removes " -g pkcs11" for p11sak_defined_attrs.conf and strength.conf from Makefile.am
and does the pkcs11 group assinment instead in the postinst script:

In addition I've added "/etc/opencryptoki/p11sak_defined_attrs.conf"
and "/etc/opencryptoki/strength.conf" to the debian/opencryptoki.install(.s390x) file(s)
to get them incl. in the packages.

The changelog was expanded with:
    - Assign pkcs11 group to p11sak_defined_attrs.conf and strength.conf
      in debian/opencryptoki.postinst rather than of Makefile.am
      to solve "invalid group ‘pkcs11’" issues during build.
      Also extend debian/opencryptoki.install and
      debian/opencryptoki.install.s390x to pick up
      /etc/opencryptoki/p11sak_defined_attrs.conf and
      /etc/opencryptoki/strength.conf.

I did a PPA test build (on all major architectures):
https://launchpad.net/~fheimes/+archive/ubuntu/lp1982842-2nd
and also a package install test (amd64 and s390x).
Looks like this on a target system:
# ls -l /etc/opencryptoki/
total 12
-rw-r--r-- 1 root root 773 Aug 15 10:29 opencryptoki.conf
-rw-r--r-- 1 root pkcs11 584 Aug 15 10:29 p11sak_defined_attrs.conf
-rw-r--r-- 1 root pkcs11 866 Aug 15 10:29 strength.conf

Please see attached the updated / new debdiff.

Revision history for this message
Simon Chopin (schopin) wrote :

I confirm that it now builds fine on my system, and that the new config files are installed with the expected permissions:

ls -lh /etc/opencryptoki/*
.rw-r--r-- root root 773 B Mon Aug 15 12:29:35 2022  /etc/opencryptoki/opencryptoki.conf
.rw-r--r-- root pkcs11 584 B Mon Aug 15 12:29:35 2022  /etc/opencryptoki/p11sak_defined_attrs.conf
.rw-r--r-- root pkcs11 866 B Mon Aug 15 12:29:35 2022  /etc/opencryptoki/strength.conf

Uploaded, thanks for your work :)

Revision history for this message
Frank Heimes (fheimes) wrote :

yw :-)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.18.0+dfsg-0ubuntu1

---------------
opencryptoki (3.18.0+dfsg-0ubuntu1) kinetic; urgency=medium

  * New upstream release, with:
    - minor adjustment in 01-disable-testcases.patch due to different context
    - remove of d/p/6759faed-EP11-Fix-host-library-version-query.patch
      since it's now included in 3.18 upstream
    - remove file AUTHORS from debian/opencryptoki.docs
      since it got removed in 3.18 upstream
    This new version solves LP bugs (feature requests):
    - "openCryptoki: PKCS #11 3.1 - support CKA_DERIVE_TEMPLATE" (LP: #1982842)
    - "openCryptoki: support crypto profiles" (LP: #1959549)
    - "openCryptoki: add crypto counters" (LP: #1959551)
    - Assign pkcs11 group to p11sak_defined_attrs.conf and strength.conf
      in debian/opencryptoki.postinst rather than of Makefile.am
      to solve "invalid group ‘pkcs11’" issues during build.
      Also extend debian/opencryptoki.install and
      debian/opencryptoki.install.s390x to pick up
      /etc/opencryptoki/p11sak_defined_attrs.conf and
      /etc/opencryptoki/strength.conf.

 -- Frank Heimes <email address hidden> Mon, 15 Aug 2022 12:29:35 +0200

Changed in opencryptoki (Ubuntu):
status: In Progress → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.