[23.10 FEAT] [SEC1923] openCryptoki: concurrent MK rotation for cca token

Bug #2025926 reported by bugproxy
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
Medium
Skipper Bug Screeners
opencryptoki (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Support MK rotation for CCA secure keys while openCryptoki is running.
The ep11 token must listen to a master key change event and upon that event prepare all session and token keys to use secure keys based on the new master key and (possibly based on another event replace secure keys wrapped by the (previous) current MK with secure keys wrapped by the new (current) MK.

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-202903 severity-high targetmilestone-inin2310
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-07-04 18:53 EDT-------
This feature is included in the latest openCryptoki version 3.21.0 as available from:
https://github.com/opencryptoki/opencryptoki/releases/tag/v3.21.0

Frank Heimes (fheimes)
affects: linux (Ubuntu) → opencryptoki (Ubuntu)
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in opencryptoki (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
importance: Undecided → High
Changed in ubuntu-z-systems:
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.21.0+dfsg-0ubuntu1

---------------
opencryptoki (3.21.0+dfsg-0ubuntu1) mantic; urgency=medium

  * New upstream release (LP: #2026732), incl. support for:
    - concurrent MK rotation for ep11 token (LP: #2025917)
    - concurrent MK rotation for cca token (LP: #2025926)
    - cca token: protected key support (LP: #2025923)
    - pkcsslotd hardening (LP: #2025922)
    Required modifications:
    - add libcap-dev to Build-Depends
    - adjust and refresh d/p/01-disable-testcases.patch due to changed context
    - adjust and refresh d/p/04-pkcsslotd-cmdline-args.patch due to changed
      context and fuzz
    - adjust, expand and refresh
      d/p/lp-1982842-move-pkcs11-group-assigment-from-makefile-to-postinst.patch
      due to changed context and changes around pkcsslotd, which req. folders
      added to d/opencryptoki.dirs and modifications in d/opencryptoki.postinst
      and d/opencryptoki.postrm to work properly.
    Fix selected issues on top of v3.21 and add:
    - d/p/lp-2026732-common-Correctly-set-default-attributes-for-certific.patch
    - d/p/lp-2026732-p11sak-Fix-user-confirmation-prompt-behavior-when-st.patch
    - d/p/lp-2026732-pkcsstats-Fix-handling-of-user-name.patch
    - d/p/lp-2026732-p11sak-fix-length-handling-when-importing-and-export.patch
    - d/p/lp-2026732-p11sak-Fix-listing-of-key-objects-when-other-object-.patch
    - d/p/lp-2026732-p11sak-Fix-parsing-of-slot-number-0.patch
  * According to LP: #2022088 comment #4, revert d/rules, d/triggers
    d/libopencryptoki0.{install,links} back, but do not instead add
    d/p/lp-2022088-fix-p11sak-failure-to-find-libopencryptoki.so.patch
    to fix 'failure that p11sak is not able to find libopencryptoki',
    since the p11sak code was refactored and changed significantly in v3.21.
    To fix this now expand d/p/03-dlopen-soname.patch with hunks for
    usr/sbin/p11sak/p11sak.h, usr/sbin/pkcshsm_mk_change/pkcshsm_mk_change.c,
    usr/sbin/pkcsstats/pkcsstats.c, testcases/common/common.c and
    testcases/policy/policytest.c
  * d/libopencryptoki0.links{.s390x} Merge files, since the content of the
    s390x version of this file applies to all platforms.
  * d/*: changes due to wrap-and-sort run

 -- Frank Heimes <email address hidden> Fri, 07 Jul 2023 12:15:35 +0200

Changed in opencryptoki (Ubuntu):
status: New → Fix Released
Frank Heimes (fheimes)
information type: Private → Public
Changed in ubuntu-z-systems:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.