Overview

File s390-tools-libekmfweb-Fix-generation-of-certificate-or-CSR-with-RSA-PSS-instead-of-RSA.patch of Package s390-tools

From e4dcf084c5a54f8030da39707c5fa0fbb7ae9681 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 11 Sep 2025 08:37:38 +0200
Subject: [PATCH] libekmfweb: Fix generation of certificate or CSR with RSA-PSS
 instead of RSA

Currently a certificate or certificate signing request generated by the
zkey EKMFWeb library erroneously always uses RSA-PSS as signing algorithm,
although EKMFWeb does not support RSA-PSS certificates in all versions.

This bug was introduced with the rework to use libseckey for secure
key crypto operations.

Fixes: 26c34a49b1e4 ("libekmfweb: Make use of the new libseckey")
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Finn Callies <fcallies@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
---
 libekmfweb/ekmfweb.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/libekmfweb/ekmfweb.c b/libekmfweb/ekmfweb.c
index ee25fc084..3a822e78c 100644
--- a/libekmfweb/ekmfweb.c
+++ b/libekmfweb/ekmfweb.c
@@ -5099,14 +5099,15 @@ int ekmf_generate_csr(const struct ekmf_config *config,
 		}
 	}
 
-
-	_ekmf_copy_pss_params(rsa_pss_params, &pss_params);
+	if (rsa_pss_params != NULL)
+		_ekmf_copy_pss_params(rsa_pss_params, &pss_params);
 
 	rc = SK_OPENSSL_generate_csr(key_blob, key_blob_size,
 				     subject_rdns, num_subject_rdns,
 				     subject_utf8, cert,
 				     extensions, num_extensions,
-				     digest_nid, &pss_params, &req,
+				     digest_nid, rsa_pss_params != NULL ?
+						&pss_params : NULL, &req,
 				     &ext_lib_info.ext_lib, verbose);
 	if (rc != 0) {
 		pr_verbose(verbose, "SK_OPENSSL_generate_csr failed "
@@ -5245,14 +5246,16 @@ int ekmf_generate_ss_cert(const struct ekmf_config *config,
 		}
 	}
 
-	_ekmf_copy_pss_params(rsa_pss_params, &pss_params);
+	if (rsa_pss_params != NULL)
+		_ekmf_copy_pss_params(rsa_pss_params, &pss_params);
 
 	rc = SK_OPENSSL_generate_ss_cert(key_blob, key_blob_size,
 					 subject_rdns, num_subject_rdns,
 					 subject_utf8, rcert,
 					 extensions, num_extensions,
 					 validity_days, digest_nid,
-					 &pss_params, &cert,
+					 rsa_pss_params != NULL ?
+						&pss_params : NULL, &cert,
 					 &ext_lib_info.ext_lib, verbose);
 	if (rc != 0) {
 		pr_verbose(verbose, "SK_OPENSSL_generate_ss_cert failed "
openSUSE Build Service is sponsored by
Places