Description:
zkey: Fix re-enciphering of EP11 identity key of KMIP plugin
Symptom:
When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid.
Problem:
The re-enciphered secure key is not copied back into the key token buffer. Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI) structure must also be re-enciphered (i.e. re-MACed), since the MAC is calculated with the EP11 master key.
Solution:
Copy the re-enciphered secure key back into the key token buffer, and also re-encipher the public key part.
Reproduction: Perform a master key change on the EP11 APQNs used with the
KMIP plugin.
Description:
zkey: Fix re-enciphering of EP11 identity key of KMIP plugin
Symptom:
When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid.
Problem: yInfo (SPKI) structure must also be re-enciphered (i.e. re-MACed), since the MAC is calculated with the EP11 master key.
The re-enciphered secure key is not copied back into the key token buffer. Also, the the public key part, i.e. the MACed SubjectPublicKe
Solution:
Copy the re-enciphered secure key back into the key token buffer, and also re-encipher the public key part.
Reproduction: Perform a master key change on the EP11 APQNs used with the
KMIP plugin.
Problem-ID: 197605
Upstream-ID: 4e2ebe0370d9fb0 36b7554d5ac5df4 418dbe0397
Preventive: yes
Date: 2022-04-08
Author: Ingo Franzki <email address hidden>
Component: s390-tools
== Comment: #1 - Ingo Franzki <email address hidden> - 2022-04-08 09:57:45 == /github. com/ibm- s390-linux/ s390-tools/ commit/ 4e2ebe0370d9fb0 36b7554d5ac5df4 418dbe0397
Upstream commit:
https:/