[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
** Changed in: ubuntu-z-systems Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
This bug was fixed in the package opencryptoki - 3.9.0+dfsg-0ubuntu1.3 --- opencryptoki (3.9.0+dfsg-0ubuntu1.3) bionic; urgency=medium * Fix re-encryption of EP11 key blobs. (LP: #1854148) -- Brian Murray Mon, 28 Sep 2020 11:29:31 -0700 ** Changed in: opencryptoki (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
Thanks for verifying on bionic! I'm adjusting the tags accordingly ... ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic ** Changed in: opencryptoki (Ubuntu Xenial) Status: New => Won't Fix ** Changed in: ubuntu-z-systems Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
Hello bugproxy, or anyone else affected, Accepted opencryptoki into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/opencryptoki/3.9.0+dfsg-0ubuntu1.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: opencryptoki (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
Do you have any more information about verifying the functionality? I'd like to help get this uploaded to the SRU queue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
The pool for the ppa is at http://ppa.launchpad.net/brian- murray/ppa/ubuntu/ you can use dget to fetch the source packages; and dpkg-source -x to extract them, i.e. dget http://ppa.launchpad.net/brian- murray/ppa/ubuntu/pool/main/o/opencryptoki/opencryptoki_3.9.0+dfsg- 0ubuntu1.3~ppa2.dsc dpkg-source -x opencryptoki_3.9.0+dfsg-0ubuntu1.3~ppa2.dsc Also note, when testing a PPA, you are not expected to install .deb files by hand, but instead enable PPA and simply upgrade all the packages from it. I.e. sudo add-apt-repository ppa:brian-murray/ppa sudo apt update sudo apt full-upgrade These intructions are listed on "add this ppa to your system" on the https://launchpad.net/~brian-murray/+archive/ubuntu/ppa That's more secure than downloading debs, as GPG signatures for the archive are verified & checksums of the debs are validated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
It seems that the 3.9.0 version of opencryptoki doesn't ship the commands that you are trying to use. $ dpkg-deb -c opencryptoki_3.14.0+dfsg-0ubuntu3_s390x.deb | grep sbin drwxr-xr-x root/root 0 2020-09-17 07:14 ./usr/sbin/ -rwxr-xr-x root/root 34744 2020-09-17 07:14 ./usr/sbin/p11sak -rwxr-xr-x root/root 88200 2020-09-17 07:14 ./usr/sbin/pkcscca -rwxr-xr-x root/root 63592 2020-09-17 07:14 ./usr/sbin/pkcsconf -rwxr-xr-x root/root 38864 2020-09-17 07:14 ./usr/sbin/pkcsep11_migrate -rwxr-xr-x root/root 47048 2020-09-17 07:14 ./usr/sbin/pkcsep11_session -rwxr-xr-x root/root104456 2020-09-17 07:14 ./usr/sbin/pkcsicsf -rwxr-xr-x root/root 88648 2020-09-17 07:14 ./usr/sbin/pkcsslotd -rwxr-xr-x root/root 84024 2020-09-17 07:14 ./usr/sbin/pkcstok_migrate $ dpkg-deb -c opencryptoki_3.9.0+dfsg-0ubuntu1.2_s390x.deb | grep sbin drwxr-xr-x root/root 0 2019-08-19 08:46 ./usr/sbin/ -rwxr-xr-x root/root 59792 2019-08-19 08:46 ./usr/sbin/pkcscca -rwxr-xr-x root/root 51144 2019-08-19 08:46 ./usr/sbin/pkcsconf -rwxr-xr-x root/root 30800 2019-08-19 08:46 ./usr/sbin/pkcsep11_migrate -rwxr-xr-x root/root 34888 2019-08-19 08:46 ./usr/sbin/pkcsep11_session -rwxr-xr-x root/root 71688 2019-08-19 08:46 ./usr/sbin/pkcsicsf -rwxr-xr-x root/root118240 2019-08-19 08:46 ./usr/sbin/pkcsslotd Are these required to verify and fix the bug? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
** Tags added: fr-763 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
The referenced commit did not apply cleanly to the version of opencryptoki in Ubuntu 18.04 but I managed to same changes made and have uploaded it to my PPA. Could you please test this version of opencryptoki? https://launchpad.net/~brian-murray/+archive/ubuntu/ppa/+packages ** Changed in: opencryptoki (Ubuntu Bionic) Assignee: (unassigned) => Brian Murray (brian-murray) ** Changed in: opencryptoki (Ubuntu Bionic) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
Changing the Eoan entry to Won't Fix, since Eoan reached it's EOL: https://lists.ubuntu.com/archives/ubuntu-announce/2020-July/000258.html ** Changed in: opencryptoki (Ubuntu Eoan) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
** Changed in: ubuntu-z-systems Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
This bug was fixed in the package opencryptoki - 3.12.1+dfsg-0ubuntu1 --- opencryptoki (3.12.1+dfsg-0ubuntu1) focal; urgency=medium * New upstream release LP: #1854148, LP: #1852089, LP: #1850294 -- Dimitri John Ledkov Thu, 06 Feb 2020 14:59:50 + ** Changed in: opencryptoki (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
Since Ubuntu 19.04 / Disco reached it's end-of-life on January the 23rd: https://lists.ubuntu.com/archives/ubuntu-announce/2020-January/000253.html the entry that marks this ticket as affecting 'Disco' is changed to 'Won't Fix'. ** Changed in: opencryptoki (Ubuntu Disco) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
** Description changed: - We just released openCryptoki 3.12.1 to fix a bug in the pkcs11_migrate tool. + SRU Justification: + -- + + [Impact] + + * With commit 2668e8f the contents of attribute CKA_IBM_OPAQUE has been + changed to contain the raw EP11 blob directly, no longer wrapped into + struct ep11_opaque. + + * The pkcsep11_migrate tool now needs to be corrected in a way that it + also expects the raw blob in attribute CKA_IBM_OPAQUE to match what the + EP11 token provides. + + [Fix] + + * 316e35e55b1fe90d963186d54e7d8c4f77ce94ed "pkcsep11_migrate: Fix re- + encryption of EP11 key blobs" + + [Test Case] + + * An s390x system (LPAR or z/VM) with at least one crypto domain online + and a master key set is needed. + + * Install the opencryptoki package on that system, which includes the + pkcsep11_migrate tool. + + * Use the pkcsep11_migrate to re-encrypt EP11 token keys in preparation + of master keys change in the EP11 adapter. + + [Regression Potential] + + * The regression potential can be considered as moderate, since: + + * this is limited to EP11 token keys migration and re-encryption + situations + + * and the patch modifies the pkcsep11_migrate utility only, hence will + not effect other pkcs* tools + + * and right now the pkcsep11_migrate utility is broken anyway + + [Other Info] + * On top the patch "pkcsep11_migrate: Fix re-encryption of EP11 key blobs" fixes some minor things to make re-encryption really work. + __ + + We just released openCryptoki 3.12.1 to fix a bug in the pkcs11_migrate + tool. + Change Log: - Fix pkcsep11_migrate tool - + https://github.com/opencryptoki/opencryptoki https://github.com/opencryptoki/opencryptoki/releases/tag/v3.12.1 - + Please update the feature request to either.. - include the 3.12.1 bug-fix release .. - .. or include the following commit on top of 3.12: https://github.com/opencryptoki/opencryptoki/commit/316e35e55b1fe90d963186d54e7d8c4f77ce94ed " This fix is applicable to openCryptoki >= 3.4, which means: 20.04 19.10 18.04 16.04 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854148] Re: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs
Since we don't do version bumps on Ubuntu versions that are already released, we will probably just cherry-pick the fix for 19.10, 19.04, 18.04, and 16.04. 20.04 may come with an updated package, like 3.12.1. ** Also affects: ubuntu-z-systems Importance: Undecided Status: New ** Changed in: ubuntu-z-systems Status: New => Triaged ** Changed in: ubuntu-z-systems Importance: Undecided => High ** Changed in: ubuntu-z-systems Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team) ** Changed in: opencryptoki (Ubuntu) Assignee: Skipper Bug Screeners (skipper-screen-team) => Canonical Foundations Team (canonical-foundations) ** Also affects: opencryptoki (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: opencryptoki (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: opencryptoki (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: opencryptoki (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs