Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package s390-tools for openSUSE:Factory
checked in at 2022-04-14 17:26:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/s390-tools (Old)
and /work/SRC/openSUSE:Factory/.s390-tools.new.1941 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "s390-tools"
Thu Apr 14 17:26:04 2022 rev:45 rq:970181 version:2.19.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/s390-tools/s390-tools.changes 2022-03-11
21:54:17.494670411 +0100
+++ /work/SRC/openSUSE:Factory/.s390-tools.new.1941/s390-tools.changes
2022-04-14 17:26:40.747348500 +0200
@@ -1,0 +2,21 @@
+Thu Apr 14 13:57:12 UTC 2022 - Mark Post <mp...@suse.com>
+
+- Updated the cputype script to include the model number of IBM's
+ recently announced z16 processor.
+
+-------------------------------------------------------------------
+Mon Apr 11 21:11:48 UTC 2022 - Mark Post <mp...@suse.com>
+
+- Added the following patches for bsc#1198285:
+ s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch
+
s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
+ The certificate verification of check_hostkeydoc is too strict and
+ doesn't match the checking performed by genprotimg.
+- Added the following patch for bsc#1198284:
+ s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
+ When re-enciphering the identity key and/or wrapping key of the
+ zkey KMIP plugin via 'zkey kms reencipher', the operation
+ completes without an error, but the secure keys are left
+ un-reenciphered.
+
+-------------------------------------------------------------------
New:
----
s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch
s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ s390-tools.spec ++++++
--- /var/tmp/diff_new_pack.2uguZB/_old 2022-04-14 17:26:41.819349752 +0200
+++ /var/tmp/diff_new_pack.2uguZB/_new 2022-04-14 17:26:41.827349762 +0200
@@ -1,7 +1,7 @@
#
# spec file for package s390-tools
#
-# Copyright (c) 2001-2022 SUSE LLC
+# Copyright (c) 2021-2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -97,6 +97,9 @@
Patch002:
s390-tools-sles15sp4-chreipl-fcp-mpath-remove-shebang-from-chreipl-fcp-mp.patch
Patch003:
s390-tools-sles15sp4-zdev-modify-the-lsblk-output-parser-in-lszdev.patch
Patch004:
s390-tools-sles15sp4-zdev-Fix-path-resolution-for-multi-mount-point-file-.patch
+Patch005:
s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch
+Patch006:
s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
+Patch007:
s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
# SUSE patches
Patch900: s390-tools-sles12-zipl_boot_msg.patch
++++++ cputype ++++++
--- /var/tmp/diff_new_pack.2uguZB/_old 2022-04-14 17:26:41.959349916 +0200
+++ /var/tmp/diff_new_pack.2uguZB/_new 2022-04-14 17:26:41.959349916 +0200
@@ -62,6 +62,7 @@
3907) echo "${machine} = z14 ZR1 IBM z14 ZR1" ;;
8561) echo "${machine} = z15 T01 IBM z15 T01" ;;
8562) echo "${machine} = z15 T02 IBM z15 T02" ;;
+ 3931) echo "${machine} = z16 IBM z16" ;;
*) echo "An unknown machine type was reported: ${machine}" >&2
echo "Please file a bug report with this output:" >&2
/bin/cat /proc/cpuinfo >&2
++++++ s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch
++++++
Subject: [PATCH] [BZ 197604] genprotimg: remove DigiCert root CA pinning
From: Marc Hartmayer <mhart...@linux.ibm.com>
Description: genprotimg/check_hostkeydoc: cert. verification is too strict
Symptom: Verification failures will occur for newer host key documents
Problem: The certificate verification of check_hostkeydoc is too strict
and doesn't match the checking performed by genprotimg. This
applies to the OU field in the issuer DN of the host key
document. As a consequence verification failures will occur for
host key documents issued for hardware generations newer than
IBM z15.
DigiCert is the CA issuing the signing certificate for Secure
Execution host key documents. This certificate is used for the
verification of the host key document validity. Recently,
DigiCert has changed the root CA certificate used for issuance
of the signing certificates. As genprotimg is checking the CA
serial, the verification of the chain of trust will fail. As a
workaround, it is possible to disable certificate verification,
but this is not recommended because it makes it easier to
provide a fake host key document. Since the previously issued
host key documents are expiring in April 2022, it is necessary
to fix genprotimg to accept the newly issued host key
documents.
Solution: Relax the certificate verification
Reproduction: Use a new host key document
Upstream-ID: 78b053326c504c0535b5ec1c244ad7bb5a1df29d
Problem-ID: 197604
Upstream-Description:
genprotimg: remove DigiCert root CA pinning
Remove the DigiCert root CA pinning. The root CA used for the
chain of trust can
change in the future therefore let's remove this check. If
someone wants to
enforce the usage of a specific root CA it can be selected by the
genprotimg
command line option `--root-ca $CA`. Make it transparent to the
user which root
CA is actually being used by printing the subject name of the
root CA to stdout
in verbose mode.
Signed-off-by: Marc Hartmayer <mhart...@linux.ibm.com>
Acked-by: Viktor Mihajlovski <mihaj...@linux.ibm.com>
Reviewed-and-tested-by: Nico Boehr <n...@linux.ibm.com>
Signed-off-by: Jan Hoeppner <hoepp...@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhart...@linux.ibm.com>
Index: s390-tools-service/genprotimg/man/genprotimg.8
===================================================================
--- s390-tools-service.orig/genprotimg/man/genprotimg.8
+++ s390-tools-service/genprotimg/man/genprotimg.8
@@ -87,7 +87,7 @@ CRLs. Optional.
.TP
\fB\-\-root\-ca\fR=\fI\,FILE\/\fR
Specifies the root CA certificate for the verification. If omitted,
-the DigiCert root CA certificate installed on the system is used. Use
+the system wide root CAs installed on the system is used. Use
this only if you trust the specified certificate. Optional.
.TP
\fB\-\-no-verify\fR
Index: s390-tools-service/genprotimg/src/include/pv_crypto_def.h
===================================================================
--- s390-tools-service.orig/genprotimg/src/include/pv_crypto_def.h
+++ s390-tools-service/genprotimg/src/include/pv_crypto_def.h
@@ -29,9 +29,6 @@
*/
#define PV_CERTS_SECURITY_LEVEL 2
-/* SKID for DigiCert Assured ID Root CA */
-#define DIGICERT_ASSURED_ID_ROOT_CA_SKID
"45EBA2AFF492CB82312D518BA7A7219DF36DC80F"
-
union ecdh_pub_key {
struct {
uint8_t x[80];
Index: s390-tools-service/genprotimg/src/pv/pv_args.c
===================================================================
--- s390-tools-service.orig/genprotimg/src/pv/pv_args.c
+++ s390-tools-service/genprotimg/src/pv/pv_args.c
@@ -111,7 +111,7 @@ static gint pv_args_validate_options(PvA
g_strv_length(args->untrusted_cert_paths) == 0)) {
g_set_error(
err, PV_PARSE_ERROR, PR_PARSE_ERROR_MISSING_ARGUMENT,
- _("Either specify the IBM Z signing key and (DigiCert)
intermediate CA certificate\n"
+ _("Either specify the IBM Z signing key and
intermediate CA certificate\n"
"by using the '--cert' option, or use the
'--no-verify' flag to disable the\n"
"host-key document verification completely (at your
own risk)."));
return -1;
Index: s390-tools-service/genprotimg/src/pv/pv_image.c
===================================================================
--- s390-tools-service.orig/genprotimg/src/pv/pv_image.c
+++ s390-tools-service/genprotimg/src/pv/pv_image.c
@@ -304,9 +304,10 @@ static gint pv_img_hostkey_verify(GSList
}
/* Load all untrusted certificates (e.g. IBM Z signing key and
- * DigiCert intermediate CA) that are required to establish a chain of
- * trust starting from the host-key document up to the root CA (if not
- * otherwise specified that's the DigiCert Assured ID Root CA).
+ * intermediate CA) that are required to establish a chain of trust
+ * starting from the host-key document up to the root CA (if not
+ * otherwise specified that can be one of the system wide installed
+ * root CAs, e.g. DigiCert).
*/
untrusted_certs_with_path = load_certificates(untrusted_cert_paths,
err);
if (!untrusted_certs_with_path)
@@ -341,9 +342,8 @@ static gint pv_img_hostkey_verify(GSList
* For this we must check:
*
* 1. Can a chain of trust be established ending in a root CA
- * 2. Is the correct root CA ued? It has either to be the
- * 'DigiCert Assured ID Root CA' or the root CA specified via
- * command line.
+ * 2. Is the correct root CA used? It has either to be a system CA
+ * or the root CA specified via command line.
*/
for (gint i = 0; i < sk_X509_num(ibm_signing_certs); ++i) {
X509 *ibm_signing_cert = sk_X509_value(ibm_signing_certs, i);
@@ -364,17 +364,12 @@ static gint pv_img_hostkey_verify(GSList
if (verify_cert(ibm_signing_cert, ctx, err) < 0)
goto error;
- /* Verify the build chain of trust chain. If the user passes a
- * trusted root CA on the command line then the check for the
- * Subject Key Identifier (SKID) is skipped, otherwise let's
- * check if the SKID meets our expectation.
+ /* If there is a chain of trust using either the provided root
+ * CA on the command line or a system wide trusted root CA.
*/
- if (!root_ca_path &&
- check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
-
get_digicert_assured_id_root_ca_skid(),
- err) < 0) {
+ if (check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
+ err) < 0)
goto error;
- }
ibm_signing_crls = store_ctx_find_valid_crls(ctx,
ibm_signing_cert, err);
if (!ibm_signing_crls) {
@@ -588,7 +583,7 @@ PvImage *pv_img_new(PvArgs *args, const
g_warning(_("host-key document verification is disabled. Your
workload is not secured."));
if (args->root_ca_path)
- g_warning(_("A different root CA than the default DigiCert root
CA is selected. Ensure that this root CA is trusted."));
+ g_warning(_("The root CA is selected through the command line.
Ensure that this root CA is trusted."));
ret->comps = pv_img_comps_new(EVP_sha512(), EVP_sha512(), EVP_sha512(),
err);
if (!ret->comps)
Index: s390-tools-service/genprotimg/src/utils/crypto.c
===================================================================
--- s390-tools-service.orig/genprotimg/src/utils/crypto.c
+++ s390-tools-service/genprotimg/src/utils/crypto.c
@@ -1079,8 +1079,8 @@ int store_set_verify_param(X509_STORE *s
g_abort();
/* The maximum depth level of the chain of trust for the verification of
- * the IBM Z signing key is 2, i.e. IBM Z signing key -> (DigiCert)
- * intermediate CA -> (DigiCert) root CA
+ * the IBM Z signing key is 2, i.e. IBM Z signing key -> intermediate CA
+ * -> root CA
*/
X509_VERIFY_PARAM_set_depth(param, 2);
@@ -1267,46 +1267,38 @@ static int security_level_to_bits(int le
return security_bits[level];
}
-static ASN1_OCTET_STRING *digicert_assured_id_root_ca;
-
-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void)
-{
- pv_crypto_init();
- return digicert_assured_id_root_ca;
-}
-
/* Used for the caching of the downloaded CRLs */
static GHashTable *cached_crls;
void pv_crypto_init(void)
{
- if (digicert_assured_id_root_ca)
+ if (cached_crls)
return;
-
cached_crls = g_hash_table_new_full(g_str_hash, g_str_equal, g_free,
(GDestroyNotify)X509_CRL_free);
- digicert_assured_id_root_ca = s2i_ASN1_OCTET_STRING(
- NULL, NULL, DIGICERT_ASSURED_ID_ROOT_CA_SKID);
}
void pv_crypto_cleanup(void)
{
- if (!digicert_assured_id_root_ca)
+ if (!cached_crls)
return;
g_clear_pointer(&cached_crls, g_hash_table_destroy);
- g_clear_pointer(&digicert_assured_id_root_ca, ASN1_OCTET_STRING_free);
}
gint check_chain_parameters(const STACK_OF_X509 *chain,
- const ASN1_OCTET_STRING *skid, GError **err)
+ GError **err)
{
- const ASN1_OCTET_STRING *ca_skid = NULL;
+ const X509_NAME *ca_x509_subject = NULL;
+ g_autofree gchar *ca_subject = NULL;
gint len = sk_X509_num(chain);
X509 *ca = NULL;
- g_assert(skid);
/* at least one root and one leaf certificate must be defined */
- g_assert(len >= 2);
+ if (len < 2) {
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
+ _("there must be at least on root and one leaf
certificate in the chain of trust"));
+ return -1;
+ }
/* get the root certificate of the chain of trust */
ca = sk_X509_value(chain, len - 1);
@@ -1316,19 +1308,21 @@ gint check_chain_parameters(const STACK_
return -1;
}
- ca_skid = X509_get0_subject_key_id(ca);
- if (!ca_skid) {
- g_set_error(err, PV_CRYPTO_ERROR,
PV_CRYPTO_ERROR_MALFORMED_ROOT_CA,
- _("malformed root certificate"));
+ ca_x509_subject = X509_get_subject_name(ca);
+ if (!ca_x509_subject) {
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
+ _("subject of the root CA cannot be retrieved"));
return -1;
}
- if (ASN1_STRING_cmp(ca_skid, skid) != 0) {
- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_WRONG_CA_USED,
- _("expecting DigiCert root CA to be used"));
+ ca_subject = X509_NAME_oneline(ca_x509_subject, NULL, 0);
+ if (!ca_subject) {
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
+ _("subject name of the root CA cannot be
retrieved"));
return -1;
}
+ g_info("Root CA used: '%s'", ca_subject);
return 0;
}
Index: s390-tools-service/genprotimg/src/utils/crypto.h
===================================================================
--- s390-tools-service.orig/genprotimg/src/utils/crypto.h
+++ s390-tools-service/genprotimg/src/utils/crypto.h
@@ -125,7 +125,6 @@ int check_crl_valid_for_cert(X509_CRL *c
gint verify_flags, GError **err);
void pv_crypto_init(void);
void pv_crypto_cleanup(void);
-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void);
gint verify_host_key(X509 *host_key, GSList *issuer_pairs,
gint verify_flags, int level, GError **err);
X509 *load_cert_from_file(const char *path, GError **err);
@@ -138,8 +137,7 @@ X509_STORE *store_setup(const gchar *roo
int store_set_verify_param(X509_STORE *store, GError **err);
X509_CRL *load_crl_by_cert(X509 *cert, GError **err);
STACK_OF_X509_CRL *try_load_crls_by_certs(GSList *certs_with_path);
-gint check_chain_parameters(const STACK_OF_X509 *chain,
- const ASN1_OCTET_STRING *skid, GError **err);
+gint check_chain_parameters(const STACK_OF_X509 *chain, GError **err);
X509_NAME *c2b_name(const X509_NAME *name);
STACK_OF_X509 *delete_ibm_signing_certs(STACK_OF_X509 *certs);
++++++
s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
++++++
Subject: [PATCH] [BZ 197604] genprotimg/check_hostkeydoc: relax default issuer
check
From: Marc Hartmayer <mhart...@linux.ibm.com>
Description: genprotimg/check_hostkeydoc: cert. verification is too strict
Symptom: Verification failures will occur for newer host key documents
Problem: The certificate verification of check_hostkeydoc is too strict
and doesn't match the checking performed by genprotimg. This
applies to the OU field in the issuer DN of the host key
document. As a consequence verification failures will occur for
host key documents issued for hardware generations newer than
IBM z15.
DigiCert is the CA issuing the signing certificate for Secure
Execution host key documents. This certificate is used for the
verification of the host key document validity. Recently,
DigiCert has changed the root CA certificate used for issuance
of the signing certificates. As genprotimg is checking the CA
serial, the verification of the chain of trust will fail. As a
workaround, it is possible to disable certificate verification,
but this is not recommended because it makes it easier to
provide a fake host key document. Since the previously issued
host key documents are expiring in April 2022, it is necessary
to fix genprotimg to accept the newly issued host key
documents.
Solution: Relax the certificate verification
Reproduction: Use a new host key document
Upstream-ID: 673ff375d939d3cde674f8f99a62d456f8b1673d
Problem-ID: 197604
Upstream-Description:
genprotimg/check_hostkeydoc: relax default issuer check
While the original default issuer's organizationalUnitName (OU)
was defined as "IBM Z Host Key Signing Service", any OU ending
with "Key Signing Service" is considered legal.
Let's relax the default issuer check by stripping off characters
preceding "Key Signing Service".
Signed-off-by: Viktor Mihajlovski <mihaj...@linux.ibm.com>
Reviewed-by: Marc Hartmayer <mhart...@linux.ibm.com>
Signed-off-by: Jan Hoeppner <hoepp...@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhart...@linux.ibm.com>
Index: s390-tools-service/genprotimg/samples/check_hostkeydoc
===================================================================
--- s390-tools-service.orig/genprotimg/samples/check_hostkeydoc
+++ s390-tools-service/genprotimg/samples/check_hostkeydoc
@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp)
ISSUER_DN_FILE=$(mktemp)
SUBJECT_DN_FILE=$(mktemp)
DEF_ISSUER_DN_FILE=$(mktemp)
+CANONICAL_ISSUER_DN_FILE=$(mktemp)
CRL_SERIAL_FILE=$(mktemp)
# Cleanup on exit
@@ -30,7 +31,7 @@ cleanup()
{
rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \
$ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \
- $CRL_SERIAL_FILE
+ $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE
}
trap cleanup EXIT
@@ -121,20 +122,31 @@ default_issuer()
commonName = International Business Machines Corporation
countryName = US
localityName = Poughkeepsie
- organizationalUnitName = IBM Z Host Key Signing Service
+ organizationalUnitName = Key Signing Service
organizationName = International Business Machines Corporation
stateOrProvinceName = New York
EOF
}
-verify_issuer_files()
+# As organizationalUnitName can have an arbitrary prefix but must
+# end with "Key Signing Service" let's normalize the OU name by
+# stripping off the prefix
+verify_default_issuer()
{
default_issuer > $DEF_ISSUER_DN_FILE
- if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
+ sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing
Service$\)/\1\2/" \
+ $ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE
+
+ if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
then
echo Incorrect default issuer >&2 && exit 1
fi
+}
+
+verify_issuer_files()
+{
+ verify_default_issuer
if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE
then
++++++
s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
++++++
Subject: [PATCH] [BZ 197605] libseckey: Fix re-enciphering of EP11 secure key
From: Ingo Franzki <ifran...@linux.ibm.com>
Description: zkey: Fix re-enciphering of EP11 identity key of KMIP plugin
Symptom: When re-enciphering the identity key and/or wrapping key of the
zkey KMIP plugin via 'zkey kms reencipher', the operation
completes without an error, but the secure keys are left
un-reenciphered. A subsequent connection attempt with the KMIP
server will fail because the identity key is no longer valid.
Problem: The re-enciphered secure key is not copied back into the
key token buffer. Also, the the public key part, i.e. the MACed
SubjectPublicKeyInfo (SPKI) structure must also be re-
enciphered (i.e. re-MACed), since the MAC is calculated with
the EP11 master key.
Solution: Copy the re-enciphered secure key back into the key toke
buffer, and also re-encipher the public key part.
Reproduction: Perform a master key change on the EP11 APQNs used with the
KMIP plugin.
Upstream-ID: 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397
Problem-ID: 197605
Upstream-Description:
libseckey: Fix re-enciphering of EP11 secure key
The re-enciphering of EP11 asymmetric secure keys does not work.
First, the result of the re-encipher operation of the private key
part must be copied back into the user supplied key token buffer.
Second, the public key part, i.e. the MACed SubjectPublicKeyInfo
(SPKI) structure must also be re-enciphered (i.e. re-MACed), since
the MAC is calculated with the EP11 master key.
Signed-off-by: Ingo Franzki <ifran...@linux.ibm.com>
Signed-off-by: Jan Hoeppner <hoepp...@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifran...@linux.ibm.com>
---
libseckey/sk_ep11.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
--- a/libseckey/sk_ep11.c
+++ b/libseckey/sk_ep11.c
@@ -1549,6 +1549,59 @@ int SK_EP11_reencipher_key(const struct
return -EIO;
}
+ memcpy(blob, lrb.payload, lrb.pllen);
+
+ /* re-encipher MACed SPKI */
+ rb.domain = domain;
+ lrb.domain = domain;
+
+ resp_len = sizeof(resp);
+ req_len = ep11.dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT,
+ &rb, NULL, key_token + hdr->len,
+ key_token_length - hdr->len);
+ if (req_len < 0) {
+ sk_debug(debug, "Failed to build XCP command block");
+ return -EIO;
+ }
+
+ rv = ep11.dll_m_admin(resp, &resp_len, NULL, NULL, req, req_len, NULL,
+ 0, ep11_lib->target);
+ if (rv != CKR_OK || resp_len == 0) {
+ sk_debug(debug, "Command XCP_ADM_REENCRYPT failed. "
+ "rc = 0x%lx, resp_len = %ld", rv, resp_len);
+ return -EIO;
+ }
+
+ rc = ep11.dll_xcpa_internal_rv(resp, resp_len, &lrb, &rv);
+ if (rc != 0) {
+ sk_debug(debug, "Failed to parse response. rc = %d", rc);
+ return -EIO;
+ }
+
+ if (rv != CKR_OK) {
+ sk_debug(debug, "Failed to re-encrypt the EP11 secure key. "
+ "rc = 0x%lx", rv);
+ switch (rv) {
+ case CKR_IBM_WKID_MISMATCH:
+ sk_debug(debug, "The EP11 secure key is currently "
+ "encrypted under a different master that does "
+ "not match the master key in the CURRENT "
+ "master key register of APQN %02X.%04X",
+ card, domain);
+ break;
+ }
+ return -EIO;
+ }
+
+ if (key_token_length - hdr->len != lrb.pllen) {
+ sk_debug(debug, "Re-encrypted EP11 secure key size has "
+ "changed: org-len: %lu, new-len: %lu",
+ hdr->len - sizeof(*hdr), lrb.pllen);
+ return -EIO;
+ }
+
+ memcpy(key_token + hdr->len, lrb.payload, lrb.pllen);
+
return 0;
}
