Public bug reported:
Description: zkey: KMIP plugin fails to connection to KMIP server
Symptom:
When a zkey key repository is bound to the KMIP plugin, and the connection to
the KMIP server is to be configired using command 'zkey kms configure
--kmip-server <server>', it fails to connect to the specified KMIP server.
Problem:
When trying to establish a TSL connection to the KMIP server, the KMIP client
sets up an OpenSSL SSL context with its certificate and its private key (which
is a secure key) using OpenSSL function SSL_CTX_use_PrivateKey(). When running
with OpenSSL 3.0, This calls the secure key provider's match function to check
if the private key specified matches the public key of the certificate using
EVP_PKEY_eq(). EVP_PKEY_eq() includes the private key into the selector bits
for the match call, although the certificate only contains the public key part.
OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the OpenSSL
provider's keymgmt_match() function to be not so strict with the selector bits
in regards to matching different key parts.
This means, that if the public key is selected to be matched, and the public
key matches (together with any also selected parameters), then the private key
is no longer checked, although it may also be selected to be matched. This is
according to how the OpenSSL function EVP_PKEY_eq() is supposed to behave.
Solution:
Adapt the secure key provider's match function to behave like the match
functions of the providers coming with OpenSSL.
Reproduction: Configure a connection to a KMIP server on a system that comes
with OpenSSL 3.0.
Problem-ID: 198268
Preventive: yes
Upstream-ID: 6c5c5f7e558c114ddaa475e96c9ec708049aa423
Date: 2022-05-17
Author: Ingo Franzki <[email protected]>
Component: s390-tools
== Comment: #1 - Ingo Franzki <[email protected]> - 2022-05-17 07:40:03 ==
Upstream commit:
https://github.com/ibm-s390-linux/s390-tools/commit/6c5c5f7e558c114ddaa475e96c9ec708049aa423
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Tags: architecture-s39064 bugnameltc-198269 severity-high
targetmilestone-inin---
** Tags added: architecture-s39064 bugnameltc-198269 severity-high
targetmilestone-inin---
** Changed in: ubuntu
Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)
** Package changed: ubuntu => linux (Ubuntu)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1990524
Title:
[Ubuntu 22.04] zkey: KMIP plugin fails to connection to KMIP server
Status in linux package in Ubuntu:
New
Bug description:
Description: zkey: KMIP plugin fails to connection to KMIP server
Symptom:
When a zkey key repository is bound to the KMIP plugin, and the connection to
the KMIP server is to be configired using command 'zkey kms configure
--kmip-server <server>', it fails to connect to the specified KMIP server.
Problem:
When trying to establish a TSL connection to the KMIP server, the KMIP client
sets up an OpenSSL SSL context with its certificate and its private key (which
is a secure key) using OpenSSL function SSL_CTX_use_PrivateKey(). When running
with OpenSSL 3.0, This calls the secure key provider's match function to check
if the private key specified matches the public key of the certificate using
EVP_PKEY_eq(). EVP_PKEY_eq() includes the private key into the selector bits
for the match call, although the certificate only contains the public key part.
OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the OpenSSL
provider's keymgmt_match() function to be not so strict with the selector bits
in regards to matching different key parts.
This means, that if the public key is selected to be matched, and the public
key matches (together with any also selected parameters), then the private key
is no longer checked, although it may also be selected to be matched. This is
according to how the OpenSSL function EVP_PKEY_eq() is supposed to behave.
Solution:
Adapt the secure key provider's match function to behave like the match
functions of the providers coming with OpenSSL.
Reproduction: Configure a connection to a KMIP server on a system that comes
with OpenSSL 3.0.
Problem-ID: 198268
Preventive: yes
Upstream-ID: 6c5c5f7e558c114ddaa475e96c9ec708049aa423
Date: 2022-05-17
Author: Ingo Franzki <[email protected]>
Component: s390-tools
== Comment: #1 - Ingo Franzki <[email protected]> - 2022-05-17 07:40:03 ==
Upstream commit:
https://github.com/ibm-s390-linux/s390-tools/commit/6c5c5f7e558c114ddaa475e96c9ec708049aa423
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1990524/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
