[Bug 2130425] [NEW] [Ubuntu 24.04] libekmfweb: Fix gen of cert or CSR to use RSA not RSA-PSS

Fri, 31 Oct 2025 05:35:42 -0700 

Public bug reported:

Description:   libekmfweb: Fix gen of cert or CSR to use RSA not RSA-PSS

Symptom:       The zkey EKMFWeb-plugin commands 'zkey kms configure --gen-csr 
               ...' and/or 'zkey kms configure --gen-self-signed-cert ...' 
               erroneously generate certificates or certificate-signing-
               requests signed using RSA-PSS instead of using RSA-PKCS when
               an RSA identity key is used (as defined in EKMFWeb key template
               for the identity key).
               EKMFWeb might not support certificates signed with RSA-PSS 
               dependent on the version, and thus the import of such a
               certificate fails with "EKMFWeb: 34: Unexpected error: 'Error 
               during translating public key from X509 Certificate'" during 
               the 'zkey kms configure --register ...' command.

Problem:       Currently a certificate or certificate signing request generated
               by the zkey EKMFWeb library erroneously always uses RSA-PSS as
               signing algorithm, although EKMFWeb does not support RSA-PSS
               certificates in all versions.
               This bug was introduced with the rework to use libseckey for
               secure key crypto operations with s390-tools version 2.17.0.

Solution:      Only pass the RSS-PSS parameters to the low-level function
               when the use of RSA-PSS is intended.

Reproduction:  Setup the zkey EKMFWeb plugin and use an RSA-type identity key
               template in EKMFWeb. Then generate a certificate or CSR and
               try to register the certificate with EKMFWeb.

Upstream-ID:   e4dcf084c5a54f8030da39707c5fa0fbb7ae9681

** Affects: linux (Ubuntu)
     Importance: Undecided
     Assignee: Skipper Bug Screeners (skipper-screen-team)
         Status: New


** Tags: architecture-s39064 bugnameltc-216012 severity-high 
targetmilestone-inin---

** Tags added: architecture-s39064 bugnameltc-216012 severity-high
targetmilestone-inin---

** Changed in: ubuntu
     Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)

** Package changed: ubuntu => linux (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2130425

Title:
  [Ubuntu 24.04] libekmfweb: Fix gen of cert or CSR to use RSA not RSA-
  PSS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2130425/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to