[Bug 1968259] Re: [UBUNTU 20.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools)

Frank Heimes Tue, 12 Apr 2022 00:26:26 -0700

Removing focal as affected Ubuntu release
since focal's latest s390-tools version 2.12.0-0ubuntu3.4 (in focal-updates)
does not ship /usr/share/s390-tools/genprotimg/check_hostkeydoc.

** No longer affects: s390-tools (Ubuntu Focal)

** No longer affects: s390-tools-signed (Ubuntu Focal)

** Summary changed:

- [UBUNTU 20.04] check_hostkeydoc is checking the certificate issuer too
strictly (s390-tools)
+ [UBUNTU 21.10 / 22.04] check_hostkeydoc is checking the certificate issuer
too strictly (s390-tools)

** Description changed:

SRU Justification:
==================

[Impact]

- * The s390-tools script check_hostkeydoc can be used to perform the
- verification of the chain of trust for Secure Execution host key documents.
+ * The s390-tools script check_hostkeydoc can be used to perform the
+ verification of the chain of trust for Secure Execution host key documents.

- * The certificate verification is however too strict and doesn't match the
- checking performed by the genprotimg tool.
+ * The certificate verification is however too strict and doesn't match the
+ checking performed by the genprotimg tool.

- * Affected is the OU field in the issuer DN of the host key document.
- As a consequence, verification failures will occur for host key documents
- issued for newer hardware generations like IBM z16.
+ * Affected is the OU field in the issuer DN of the host key document.
+ As a consequence, verification failures will occur for host key documents
+ issued for newer hardware generations like IBM z16.

- * While the original default issuer's organizationalUnitName (OU)
- was defined as "IBM Z Host Key Signing Service", any OU ending
- with "Key Signing Service" is considered legal by this fix/commit.
+ * While the original default issuer's organizationalUnitName (OU)
+ was defined as "IBM Z Host Key Signing Service", any OU ending
+ with "Key Signing Service" is considered legal by this fix/commit.

- * So the default issuer check got relaxed by stripping off characters
- preceding "Key Signing Service".
+ * So the default issuer check got relaxed by stripping off characters
+ preceding "Key Signing Service".

[Fix]

- * 673ff37 673ff375d939d3cde674f8f99a62d456f8b1673d
+ * 673ff37 673ff375d939d3cde674f8f99a62d456f8b1673d
("genprotimg/check_hostkeydoc: relax default issuer check")

[Test Plan]

- * The usage of secure execution is nicely documented at the
- 'Introducing IBM Secure Execution for Linux' docs.
-
https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
- Relevant for this fix is paragraph 'Verifying the host key document'
-
https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document
+ * The usage of secure execution is nicely documented at the
+ 'Introducing IBM Secure Execution for Linux' docs.
+
https://www.ibm.com/docs/en/linux-on-systems?topic=virtualization-introducing-secure-execution-linux
+ Relevant for this fix is paragraph 'Verifying the host key document'
+
https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document

- * Especially notice the 'About this task' section that references the
- check_hostkeydoc script to perform the verification steps.
+ * Especially notice the 'About this task' section that references the
+ check_hostkeydoc script to perform the verification steps.

- + Due to the fact that Secure Execution requires z15 as a minimal
- hardware level, the testing is done by IBM.
+ + Due to the fact that Secure Execution requires z15 as a minimal
+ hardware level, the testing is done by IBM.

[Where problems could occur]

- * Problem can occur in the check_hostkeydoc helper script only.
+ * Problem can occur in the check_hostkeydoc helper script only.

- * The script cane become broken at all and may refuse to properly verify
- even valid signed keys.
+ * The script cane become broken at all and may refuse to properly verify
+ even valid signed keys.

- * The sed statement in the script might be wrong and cut out a wrong
- organizationalUnitName.
+ * The sed statement in the script might be wrong and cut out a wrong
+ organizationalUnitName.

- * And since this is a helper script and the verification can also be done
- without this script, the risk is not too high.
+ * And since this is a helper script and the verification can also be done
+ without this script, the risk is not too high.

- * A verification can be done based with check_hostkeydoc and with the manual
- steps (with a valid and invalid signed key) to validate equal results.
+ * A verification can be done based with check_hostkeydoc and with the manual
+ steps (with a valid and invalid signed key) to validate equal results.

- * The modification are relatively straight-formward:
-
https://github.com/ibm-s390-linux/s390-tools/commit/673ff375d939d3cde674f8f99a62d456f8b1673d
+ * The modification are relatively straight-formward:
+
https://github.com/ibm-s390-linux/s390-tools/commit/673ff375d939d3cde674f8f99a62d456f8b1673d

- * And overall this is an s390x topic only, and even there only relevant for
- Secure Execution (KVM) TEE environments only.
+ * And overall this is an s390x topic only, and even there only relevant for
+ Secure Execution (KVM) TEE environments only.

[Other Info]
-
- * Even if the LP bug title references focal only, this fix is also needed
- for all newer Ubuntu releases - here: impish and jammy.
+
+ * This does not affect focal (like initiall indicated),
+ since focal's s390-tools version does not include the
+ check_hostkeydoc file.

__________

== Comment: #0 - Viktor Mihajlovski <mihaj...@de.ibm.com> - 2022-04-07
09:16:49 ==
The s390-tools script check_hostkeydoc can be used to perform the
verification of the chain of trust for Secure Execution host key documents.
The certificate verification is however too strict and doesn't match the
checking performed by genprotimg.
Affected is the OU field in the issuer DN of the host key document. As a
consequence, verification failures will occur for host key documents issued for
newer hardware generations like IBM z16.

== Comment: #1 - Viktor Mihajlovski <mihaj...@de.ibm.com> - 2022-04-07
09:18:08 ==
Fixed by:

https://github.com/ibm-s390-linux/s390-tools

commit 673ff375d939d3cde674f8f99a62d456f8b1673d
Author: Viktor Mihajlovski <mihaj...@linux.ibm.com>
Date: Tue Mar 15 12:55:02 2022 +0100

genprotimg/check_hostkeydoc: relax default issuer check

--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1968259

Title:
[UBUNTU 21.10 / 22.04] check_hostkeydoc is checking the certificate
issuer too strictly (s390-tools)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1968259/+subscriptions

--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1968259] Re: [UBUNTU 20.04] check_hostkeydoc is checking the certificate issuer too strictly (s390-tools)

Reply via email to