[23.10 FEAT] [SEC2113] openCryptoki cca token: protected key support

Bug #2025923 reported by bugproxy
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
Medium
Skipper Bug Screeners
opencryptoki (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Introduce a vendor specific key attribute for CCA keys (reuses attribute that was introduced for analogous EP11 epic) that determines that a key with that attribute shall be transformed into a protected key and the protected key shall be used whenever possible.
Provide an option to the cca token instance defining that CCA secure keys of a certain type (e.g. AES or ECDSA keys) shall be transformed into protected keys and the protected keys shall be used whenever possible.

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-202905 severity-high targetmilestone-inin2310
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-07-04 18:42 EDT-------
This feature is included in the latest openCryptoki version 3.21.0 as available from:
https://github.com/opencryptoki/opencryptoki/releases/tag/v3.21.0

Frank Heimes (fheimes)
affects: linux (Ubuntu) → opencryptoki (Ubuntu)
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in opencryptoki (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
importance: Undecided → High
Changed in ubuntu-z-systems:
importance: Undecided → Medium
summary: - [23.10] [SEC2113] openCryptoki cca token: protected key support
+ [23.10 FEAT] [SEC2113] openCryptoki cca token: protected key support
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.21.0+dfsg-0ubuntu1

---------------
opencryptoki (3.21.0+dfsg-0ubuntu1) mantic; urgency=medium

  * New upstream release (LP: #2026732), incl. support for:
    - concurrent MK rotation for ep11 token (LP: #2025917)
    - concurrent MK rotation for cca token (LP: #2025926)
    - cca token: protected key support (LP: #2025923)
    - pkcsslotd hardening (LP: #2025922)
    Required modifications:
    - add libcap-dev to Build-Depends
    - adjust and refresh d/p/01-disable-testcases.patch due to changed context
    - adjust and refresh d/p/04-pkcsslotd-cmdline-args.patch due to changed
      context and fuzz
    - adjust, expand and refresh
      d/p/lp-1982842-move-pkcs11-group-assigment-from-makefile-to-postinst.patch
      due to changed context and changes around pkcsslotd, which req. folders
      added to d/opencryptoki.dirs and modifications in d/opencryptoki.postinst
      and d/opencryptoki.postrm to work properly.
    Fix selected issues on top of v3.21 and add:
    - d/p/lp-2026732-common-Correctly-set-default-attributes-for-certific.patch
    - d/p/lp-2026732-p11sak-Fix-user-confirmation-prompt-behavior-when-st.patch
    - d/p/lp-2026732-pkcsstats-Fix-handling-of-user-name.patch
    - d/p/lp-2026732-p11sak-fix-length-handling-when-importing-and-export.patch
    - d/p/lp-2026732-p11sak-Fix-listing-of-key-objects-when-other-object-.patch
    - d/p/lp-2026732-p11sak-Fix-parsing-of-slot-number-0.patch
  * According to LP: #2022088 comment #4, revert d/rules, d/triggers
    d/libopencryptoki0.{install,links} back, but do not instead add
    d/p/lp-2022088-fix-p11sak-failure-to-find-libopencryptoki.so.patch
    to fix 'failure that p11sak is not able to find libopencryptoki',
    since the p11sak code was refactored and changed significantly in v3.21.
    To fix this now expand d/p/03-dlopen-soname.patch with hunks for
    usr/sbin/p11sak/p11sak.h, usr/sbin/pkcshsm_mk_change/pkcshsm_mk_change.c,
    usr/sbin/pkcsstats/pkcsstats.c, testcases/common/common.c and
    testcases/policy/policytest.c
  * d/libopencryptoki0.links{.s390x} Merge files, since the content of the
    s390x version of this file applies to all platforms.
  * d/*: changes due to wrap-and-sort run

 -- Frank Heimes <email address hidden> Fri, 07 Jul 2023 12:15:35 +0200

Changed in opencryptoki (Ubuntu):
status: New → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: New → Fix Released
information type: Private → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.