File s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch of Package s390-tools.24640
Subject: [PATCH] [BZ 197604] genprotimg/check_hostkeydoc: relax default issuer check
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Description:   genprotimg/check_hostkeydoc: cert. verification is too strict
Symptom:       Verification failures will occur for newer host key documents
Problem:       The certificate verification of check_hostkeydoc is too strict
               and doesn't match the checking performed by genprotimg. This
               applies to the OU field in the issuer DN of the host key
               document. As a consequence verification failures will occur for
               host key documents issued for hardware generations newer than
               IBM z15.
               
               DigiCert is the CA issuing the signing certificate for Secure
               Execution host key documents. This certificate is used for the
               verification of the host key document validity. Recently,
               DigiCert has changed the root CA certificate used for issuance
               of the signing certificates.  As genprotimg is checking the CA
               serial, the verification of the chain of trust will fail. As a
               workaround, it is possible to disable certificate verification,
               but this is not recommended because it makes it easier to
               provide a fake host key document. Since the previously issued
               host key documents are expiring in April 2022, it is necessary
               to fix genprotimg to accept the newly issued host key
               documents.
Solution:      Relax the certificate verification
Reproduction:  Use a new host key document
Upstream-ID:   673ff375d939d3cde674f8f99a62d456f8b1673d
Problem-ID:    197604
Upstream-Description:
              genprotimg/check_hostkeydoc: relax default issuer check
              While the original default issuer's organizationalUnitName (OU)
              was defined as "IBM Z Host Key Signing Service", any OU ending
              with "Key Signing Service" is considered legal.
              Let's relax the default issuer check by stripping off characters
              preceding "Key Signing Service".
              Signed-off-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
              Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
              Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Index: s390-tools-service/genprotimg/samples/check_hostkeydoc
===================================================================
--- s390-tools-service.orig/genprotimg/samples/check_hostkeydoc
+++ s390-tools-service/genprotimg/samples/check_hostkeydoc
@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp)
 ISSUER_DN_FILE=$(mktemp)
 SUBJECT_DN_FILE=$(mktemp)
 DEF_ISSUER_DN_FILE=$(mktemp)
+CANONICAL_ISSUER_DN_FILE=$(mktemp)
 CRL_SERIAL_FILE=$(mktemp)
 
 # Cleanup on exit
@@ -30,7 +31,7 @@ cleanup()
 {
     rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \
         $ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \
-        $CRL_SERIAL_FILE
+        $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE
 }
 trap cleanup EXIT
 
@@ -121,20 +122,31 @@ default_issuer()
     commonName                = International Business Machines Corporation
     countryName               = US
     localityName              = Poughkeepsie
-    organizationalUnitName    = IBM Z Host Key Signing Service
+    organizationalUnitName    = Key Signing Service
     organizationName          = International Business Machines Corporation
     stateOrProvinceName       = New York
 EOF
 }
 
-verify_issuer_files()
+# As organizationalUnitName can have an arbitrary prefix but must
+# end with "Key Signing Service" let's normalize the OU name by
+# stripping off the prefix
+verify_default_issuer()
 {
     default_issuer > $DEF_ISSUER_DN_FILE
 
-    if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
+    sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \
+	$ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE
+
+    if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
     then
         echo Incorrect default issuer >&2 && exit 1
     fi
+}
+
+verify_issuer_files()
+{
+    verify_default_issuer
 
     if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE
     then