Public bug reported:
Description: libekmfweb: Fix gen of cert or CSR to use RSA not RSA-PSS
Symptom: The zkey EKMFWeb-plugin commands 'zkey kms configure --gen-csr
...' and/or 'zkey kms configure --gen-self-signed-cert ...'
erroneously generate certificates or certificate-signing-
requests signed using RSA-PSS instead of using RSA-PKCS when
an RSA identity key is used (as defined in EKMFWeb key template
for the identity key).
EKMFWeb might not support certificates signed with RSA-PSS
dependent on the version, and thus the import of such a
certificate fails with "EKMFWeb: 34: Unexpected error: 'Error
during translating public key from X509 Certificate'" during
the 'zkey kms configure --register ...' command.
Problem: Currently a certificate or certificate signing request generated
by the zkey EKMFWeb library erroneously always uses RSA-PSS as
signing algorithm, although EKMFWeb does not support RSA-PSS
certificates in all versions.
This bug was introduced with the rework to use libseckey for
secure key crypto operations with s390-tools version 2.17.0.
Solution: Only pass the RSS-PSS parameters to the low-level function
when the use of RSA-PSS is intended.
Reproduction: Setup the zkey EKMFWeb plugin and use an RSA-type identity key
template in EKMFWeb. Then generate a certificate or CSR and
try to register the certificate with EKMFWeb.
Upstream-ID: e4dcf084c5a54f8030da39707c5fa0fbb7ae9681
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Tags: architecture-s39064 bugnameltc-216012 severity-high targetmilestone-inin---
** Tags added: architecture-s39064 bugnameltc-216012 severity-high
targetmilestone-inin---
** Changed in: ubuntu
Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)
** Package changed: ubuntu => linux (Ubuntu)
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2130425
Title:
[Ubuntu 24.04] libekmfweb: Fix gen of cert or CSR to use RSA not RSA-
PSS
Status in linux package in Ubuntu:
New
Bug description:
Description: libekmfweb: Fix gen of cert or CSR to use RSA not RSA-
PSS
Symptom: The zkey EKMFWeb-plugin commands 'zkey kms configure --gen-csr
...' and/or 'zkey kms configure --gen-self-signed-cert ...'
erroneously generate certificates or certificate-signing-
requests signed using RSA-PSS instead of using RSA-PKCS when
an RSA identity key is used (as defined in EKMFWeb key template
for the identity key).
EKMFWeb might not support certificates signed with RSA-PSS
dependent on the version, and thus the import of such a
certificate fails with "EKMFWeb: 34: Unexpected error: 'Error
during translating public key from X509 Certificate'" during
the 'zkey kms configure --register ...' command.
Problem: Currently a certificate or certificate signing request generated
by the zkey EKMFWeb library erroneously always uses RSA-PSS as
signing algorithm, although EKMFWeb does not support RSA-PSS
certificates in all versions.
This bug was introduced with the rework to use libseckey for
secure key crypto operations with s390-tools version 2.17.0.
Solution: Only pass the RSS-PSS parameters to the low-level function
when the use of RSA-PSS is intended.
Reproduction: Setup the zkey EKMFWeb plugin and use an RSA-type identity key
template in EKMFWeb. Then generate a certificate or CSR and
try to register the certificate with EKMFWeb.
Upstream-ID: e4dcf084c5a54f8030da39707c5fa0fbb7ae9681
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2130425/+subscriptions
Комментариев нет:
Отправить комментарий