Ubuntu
opencryptoki package

[24.10 FEAT] [SEC2356] openCryptoki ep11 token: support protected keys for extractable keys

Bug #2050018 reported by bugproxy
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
opencryptoki (Ubuntu)
Fix Released
Undecided
Frank Heimes

Bug Description

With version 4.1 of the ep11 support program key may based on a new control point have both the CKA_EXTRACTABLE and the CKA_PROT_KEY_EXTRACTABLE attributes set to CK_TRUE. The ep11 token shall support keys that have both attributes set to true if version 4.1 of the ep11 library is linked.
With this support also the value ENABLED for the PKEY_MODE attribute in the EP11 config file. If the linked ep11 library has a version smaller than 4.1 then the semantics of the ENABLED attribute value should be set to the semantics of the ENABLE4NONEXTR.

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-204745 severity-high targetmilestone-inin2404
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
affects: linux (Ubuntu) → opencryptoki (Ubuntu)
Changed in ubuntu-z-systems:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in opencryptoki (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
Changed in ubuntu-z-systems:
importance: Undecided → High
Revision history for this message
Frank Heimes (fheimes) wrote :

Thanks for raising this.
Is the opencryptoki version already known where this should land in?

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2024-01-23 07:17 EDT-------
This feature will not make it in time.

Revision history for this message
Frank Heimes (fheimes) wrote : Re: [24.04 FEAT] [SEC2356] openCryptoki ep11 token: support protected keys for extractable keys

Ok, I'll update the ticket accordingly.

summary: - [24.04 FEAT] [SEC2356] openCryptoki ep11 token: support protected keys
+ [24.10 FEAT] [SEC2356] openCryptoki ep11 token: support protected keys
for extractable keys
Changed in ubuntu-z-systems:
status: New → Incomplete
Changed in opencryptoki (Ubuntu):
status: New → Incomplete
bugproxy (bugproxy)
tags: added: targetmilestone-inin2410
removed: targetmilestone-inin2404
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for opencryptoki (Ubuntu) because there has been no activity for 60 days.]

Changed in opencryptoki (Ubuntu):
status: Incomplete → Expired
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2024-07-10 07:56 EDT-------
The backports of the required 9 commits for this feature are now available at https://github.com/ifranzki/opencryptoki/commits/SEC2356-backport/

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Incomplete → Triaged
Changed in opencryptoki (Ubuntu):
status: Expired → Triaged
Revision history for this message
Frank Heimes (fheimes) wrote :

Test builds were successful here:
launchpad.net/~fheimes/+archive/ubuntu/lp2050018

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Triaged → Fix Committed
Changed in opencryptoki (Ubuntu):
status: Triaged → Fix Committed
information type: Private → Public
Changed in opencryptoki (Ubuntu):
assignee: nobody → Frank Heimes (fheimes)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.23.0+dfsg-0ubuntu4

---------------
opencryptoki (3.23.0+dfsg-0ubuntu4) oracular; urgency=medium

  * Add support for protected keys and extractable keys with EP11 token, with:
    - d/p/lp-2050018-EP11-pkey-option-add-new-PKEY_MODE-parms-to-ep11-con.patch
    - d/p/lp-2050018-EP11-pkey-option-handle-new-PKEY_MODE-parms-for-new-.patch
    - d/p/lp-2050018-EP11-pkey-option-handle-new-PKEY_MODE-parms-in-eligi.patch
    - d/p/lp-2050018-EP11-pkey-option-add-NO_PKEY-compile-option-for-EP11.patch
    - d/p/lp-2050018-EP11-pkey-option-consolidate-code-parts-no-logic-cha.patch
    - d/p/lp-2050018-EP11-add-check-if-protected-key-support-available-at.patch
    - d/p/lp-2050018-EP11-consider-combined-extract-for-XTS-pkey-check.patch
    - d/p/lp-2050018-EP11-Reject-combined-extract-attribute-settings-if-i.patch
    - d/p/lp-2050018-EP11-Fix-compile-error-with-NO_PKEY-defined.patch
    (LP: #2050018)

 -- Frank Heimes <email address hidden> Fri, 26 Jul 2024 13:04:25 +0200

Changed in opencryptoki (Ubuntu):
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Frank Heimes (fheimes)
tags: added: petest-440
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.