** Description changed: - We just released openCryptoki 3.12.1 to fix a bug in the pkcs11_migrate tool. + SRU Justification: + ------------------ + + [Impact] + + * With commit 2668e8f the contents of attribute CKA_IBM_OPAQUE has been + changed to contain the raw EP11 blob directly, no longer wrapped into + struct ep11_opaque. + + * The pkcsep11_migrate tool now needs to be corrected in a way that it + also expects the raw blob in attribute CKA_IBM_OPAQUE to match what the + EP11 token provides. + + [Fix] + + * 316e35e55b1fe90d963186d54e7d8c4f77ce94ed "pkcsep11_migrate: Fix re- + encryption of EP11 key blobs" + + [Test Case] + + * An s390x system (LPAR or z/VM) with at least one crypto domain online + and a master key set is needed. + + * Install the opencryptoki package on that system, which includes the + pkcsep11_migrate tool. + + * Use the pkcsep11_migrate to re-encrypt EP11 token keys in preparation + of master keys change in the EP11 adapter. + + [Regression Potential] + + * The regression potential can be considered as moderate, since: + + * this is limited to EP11 token keys migration and re-encryption + situations + + * and the patch modifies the pkcsep11_migrate utility only, hence will + not effect other pkcs* tools + + * and right now the pkcsep11_migrate utility is broken anyway + + [Other Info] + * On top the patch "pkcsep11_migrate: Fix re-encryption of EP11 key blobs" fixes some minor things to make re-encryption really work. + __________ + + We just released openCryptoki 3.12.1 to fix a bug in the pkcs11_migrate + tool. + Change Log: - Fix pkcsep11_migrate tool - + https://github.com/opencryptoki/opencryptoki https://github.com/opencryptoki/opencryptoki/releases/tag/v3.12.1 - + Please update the feature request to either.. - include the 3.12.1 bug-fix release .. - .. or include the following commit on top of 3.12: https://github.com/opencryptoki/opencryptoki/commit/316e35e55b1fe90d963186d54e7d8c4f77ce94ed " This fix is applicable to openCryptoki >= 3.4, which means: 20.04 19.10 18.04 16.04
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854148 Title: [UBUNTU] openCryptoki: pkcsep11_migrate: Fix re-encryption of EP11 key blobs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1854148/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
