[UBUNTU 23.04] opencryptoki 3.20.0: strength.conf has wrong mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
Medium
|
Skipper Bug Screeners | ||
opencryptoki (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Jammy |
Fix Released
|
Medium
|
Unassigned | ||
Kinetic |
Fix Released
|
Medium
|
Unassigned | ||
Lunar |
Fix Released
|
Medium
|
Unassigned | ||
Mantic |
Fix Released
|
Medium
|
Unassigned |
Bug Description
SRU Justification:
==================
[Impact ]
* Opencryptoki added policy support (after 3.17) with 3.18,
which requires to have a strength.conf file in place.
* Without a strength.conf file in place
and without the correct file permissions of 640,
such newer opencryptoki versions will not work.
* Opencryptoki tools have internal code to check for
correct file permissions.
* An error like this is shown, in case pkcsconf is going to be used:
# pkcsconf -t
Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
[ Test Plan ]
* A end to end scenario, that covers the following stack:
Java program using crypto
/ \
ICA-token soft-token ...
|
s390x_
can be based on a Java application that does
AES encryption in ECB mode with a randomly generated key (DRBG-SHA-512)
and exploiting JCA / IBMPKCS11Impl
with opencryptoki managing clear keys,
either with a soft-token or an ICA token.
* The pkcsconf tool is here used to manage (initialize and re-label)
the tokens before used by the Java application.
* For the detailed steps and the Java application itself,
please see https:/
[ Where problems could occur ]
* The strength.conf file might have wrong content
* or is located at a wrong position in the file-system
* or strength.conf might have wrong file permissions,
which is checked inside of the tool's code.
* In both cases pkcsconf will still not work even if the file is in place.
[ Other Info ]
* The strength.conf file allows users to configure openCryptoki
cryptographic key strength determination based on key attributes.
And this file is required by openCryptoki.
The strength configuration file has to be owned by 'root:@pkcs_group',
have mode 0640, and be parsable. Otherwise, openCryptoki will return
'CKR_
to syslog detailing the reason why the strength configuration could
not be used. (more see 'strength.conf' in man5)
* The file permissions were set by intention in d/opencryptoki.
since ownership of strength.conf is set there, too (as well as further
folder and config file owner and permission changes).
So all this is at the same place now.
* Package opencryptoki has reverse dependencies:
$ reverse-depends -a source src:opencryptoki
Reverse-
* simple-tpm-pk11 (for libopencryptoki
* tpm-tools (for libopencryptoki
These were rebuild for test purposes, in addition to opencryptoki itself,
and are available at PPA:
https:/
__________
After installing opencryptoki 3.20.0 on Ubuntu 23.04 the strength.conf file that is installed into /etc/opencryptoki/ has a wrong mode.
After starting pkcsslotrd, command 'pkcsconf -t' shows
pkcsconf: Error initializing the PKCS11 library: 0x5 (CKR_GENERAL_ERROR)
and the syslog shows:
usr/
# ls -l /etc/opencrypto
-rw-r--r-- 1 root pkcs11 866 Feb 13 09:10 /etc/opencrypto
So it has a mode of 644, but it must have a mode of 640 ! This is checked by the code, and opencryptoki is not usable if the mode is wrong. The owner "root:pkcs11" is correct.
Circumvention: manually change the mode to 0640. After that 'pkcsconf -t' works.
Note: This affects all architectures where opencryptoki is supported.
tags: | added: architecture-s39064 bugnameltc-202533 severity-medium targetmilestone-inin2304 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
affects: | linux (Ubuntu) → opencryptoki (Ubuntu) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
Changed in opencryptoki (Ubuntu): | |
importance: | Undecided → Medium |
Changed in ubuntu-z-systems: | |
importance: | Undecided → Medium |
description: | updated |
description: | updated |
Changed in opencryptoki (Ubuntu Lunar): | |
status: | New → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in opencryptoki (Ubuntu Lunar): | |
status: | Incomplete → In Progress |
description: | updated |
description: | updated |
Changed in opencryptoki (Ubuntu Lunar): | |
status: | Incomplete → In Progress |
Changed in opencryptoki (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in opencryptoki (Ubuntu Kinetic): | |
status: | New → In Progress |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
Changed in opencryptoki (Ubuntu Mantic): | |
assignee: | Skipper Bug Screeners (skipper-screen-team) → nobody |
I can confirm that strength.conf is taken as is and installed with default 644.
File permissions will be enforced in post-install script...