File s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch of Package s390-tools.28248
Subject: [PATCH] [BZ 197605] libseckey: Fix re-enciphering of EP11 secure key
From: Ingo Franzki <ifranzki@linux.ibm.com>
Description: zkey: Fix re-enciphering of EP11 identity key of KMIP plugin
Symptom: When re-enciphering the identity key and/or wrapping key of the
zkey KMIP plugin via 'zkey kms reencipher', the operation
completes without an error, but the secure keys are left
un-reenciphered. A subsequent connection attempt with the KMIP
server will fail because the identity key is no longer valid.
Problem: The re-enciphered secure key is not copied back into the
key token buffer. Also, the the public key part, i.e. the MACed
SubjectPublicKeyInfo (SPKI) structure must also be re-
enciphered (i.e. re-MACed), since the MAC is calculated with
the EP11 master key.
Solution: Copy the re-enciphered secure key back into the key toke
buffer, and also re-encipher the public key part.
Reproduction: Perform a master key change on the EP11 APQNs used with the
KMIP plugin.
Upstream-ID: 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397
Problem-ID: 197605
Upstream-Description:
libseckey: Fix re-enciphering of EP11 secure key
The re-enciphering of EP11 asymmetric secure keys does not work.
First, the result of the re-encipher operation of the private key
part must be copied back into the user supplied key token buffer.
Second, the public key part, i.e. the MACed SubjectPublicKeyInfo
(SPKI) structure must also be re-enciphered (i.e. re-MACed), since
the MAC is calculated with the EP11 master key.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
libseckey/sk_ep11.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
--- a/libseckey/sk_ep11.c
+++ b/libseckey/sk_ep11.c
@@ -1549,6 +1549,59 @@ int SK_EP11_reencipher_key(const struct
return -EIO;
}
+ memcpy(blob, lrb.payload, lrb.pllen);
+
+ /* re-encipher MACed SPKI */
+ rb.domain = domain;
+ lrb.domain = domain;
+
+ resp_len = sizeof(resp);
+ req_len = ep11.dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT,
+ &rb, NULL, key_token + hdr->len,
+ key_token_length - hdr->len);
+ if (req_len < 0) {
+ sk_debug(debug, "Failed to build XCP command block");
+ return -EIO;
+ }
+
+ rv = ep11.dll_m_admin(resp, &resp_len, NULL, NULL, req, req_len, NULL,
+ 0, ep11_lib->target);
+ if (rv != CKR_OK || resp_len == 0) {
+ sk_debug(debug, "Command XCP_ADM_REENCRYPT failed. "
+ "rc = 0x%lx, resp_len = %ld", rv, resp_len);
+ return -EIO;
+ }
+
+ rc = ep11.dll_xcpa_internal_rv(resp, resp_len, &lrb, &rv);
+ if (rc != 0) {
+ sk_debug(debug, "Failed to parse response. rc = %d", rc);
+ return -EIO;
+ }
+
+ if (rv != CKR_OK) {
+ sk_debug(debug, "Failed to re-encrypt the EP11 secure key. "
+ "rc = 0x%lx", rv);
+ switch (rv) {
+ case CKR_IBM_WKID_MISMATCH:
+ sk_debug(debug, "The EP11 secure key is currently "
+ "encrypted under a different master that does "
+ "not match the master key in the CURRENT "
+ "master key register of APQN %02X.%04X",
+ card, domain);
+ break;
+ }
+ return -EIO;
+ }
+
+ if (key_token_length - hdr->len != lrb.pllen) {
+ sk_debug(debug, "Re-encrypted EP11 secure key size has "
+ "changed: org-len: %lu, new-len: %lu",
+ hdr->len - sizeof(*hdr), lrb.pllen);
+ return -EIO;
+ }
+
+ memcpy(key_token + hdr->len, lrb.payload, lrb.pllen);
+
return 0;
}