Comment 0 for bug 1990520

Description:
zkey: Fix re-enciphering of EP11 identity key of KMIP plugin

Symptom:
When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. A subsequent connection attempt with the KMIP server will fail because the identity key is no longer valid.

Problem:
The re-enciphered secure key is not copied back into the key token buffer. Also, the the public key part, i.e. the MACed SubjectPublicKeyInfo (SPKI) structure must also be re-enciphered (i.e. re-MACed), since the MAC is calculated with the EP11 master key.

Solution:
Copy the re-enciphered secure key back into the key token buffer, and also re-encipher the public key part.

Reproduction: Perform a master key change on the EP11 APQNs used with the
               KMIP plugin.

Problem-ID: 197605

Upstream-ID: 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397

Preventive: yes

Date: 2022-04-08
Author: Ingo Franzki <email address hidden>
Component: s390-tools

== Comment: #1 - Ingo Franzki <email address hidden> - 2022-04-08 09:57:45 ==
Upstream commit:
https://github.com/ibm-s390-linux/s390-tools/commit/4e2ebe0370d9fb036b7554d5ac5df4418dbe0397