** Package changed: linux (Ubuntu) => s390-tools (Ubuntu)
** Also affects: ubuntu-z-systems
Importance: Undecided
Status: New
** Changed in: ubuntu-z-systems
Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)
** Also affects: s390-tools-signed (Ubuntu)
Importance: Undecided
Status: New
** Changed in: s390-tools-signed (Ubuntu)
Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)
** Also affects: s390-tools (Ubuntu Plucky)
Importance: Undecided
Status: New
** Also affects: s390-tools-signed (Ubuntu Plucky)
Importance: Undecided
Status: New
** Also affects: s390-tools (Ubuntu Resolute)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Also affects: s390-tools-signed (Ubuntu Resolute)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Also affects: s390-tools (Ubuntu Questing)
Importance: Undecided
Status: New
** Also affects: s390-tools-signed (Ubuntu Questing)
Importance: Undecided
Status: New
** Also affects: s390-tools (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: s390-tools-signed (Ubuntu Noble)
Importance: Undecided
Status: New
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2130425
Title:
[Ubuntu 24.04] libekmfweb: Fix gen of cert or CSR to use RSA not RSA-
PSS
Status in Ubuntu on IBM z Systems:
New
Status in s390-tools package in Ubuntu:
New
Status in s390-tools-signed package in Ubuntu:
New
Status in s390-tools source package in Noble:
New
Status in s390-tools-signed source package in Noble:
New
Status in s390-tools source package in Plucky:
New
Status in s390-tools-signed source package in Plucky:
New
Status in s390-tools source package in Questing:
New
Status in s390-tools-signed source package in Questing:
New
Status in s390-tools source package in Resolute:
New
Status in s390-tools-signed source package in Resolute:
New
Bug description:
Description: libekmfweb: Fix gen of cert or CSR to use RSA not RSA-
PSS
Symptom: The zkey EKMFWeb-plugin commands 'zkey kms configure --gen-csr
...' and/or 'zkey kms configure --gen-self-signed-cert ...'
erroneously generate certificates or certificate-signing-
requests signed using RSA-PSS instead of using RSA-PKCS when
an RSA identity key is used (as defined in EKMFWeb key template
for the identity key).
EKMFWeb might not support certificates signed with RSA-PSS
dependent on the version, and thus the import of such a
certificate fails with "EKMFWeb: 34: Unexpected error: 'Error
during translating public key from X509 Certificate'" during
the 'zkey kms configure --register ...' command.
Problem: Currently a certificate or certificate signing request generated
by the zkey EKMFWeb library erroneously always uses RSA-PSS as
signing algorithm, although EKMFWeb does not support RSA-PSS
certificates in all versions.
This bug was introduced with the rework to use libseckey for
secure key crypto operations with s390-tools version 2.17.0.
Solution: Only pass the RSS-PSS parameters to the low-level function
when the use of RSA-PSS is intended.
Reproduction: Setup the zkey EKMFWeb plugin and use an RSA-type identity key
template in EKMFWeb. Then generate a certificate or CSR and
try to register the certificate with EKMFWeb.
Upstream-ID: e4dcf084c5a54f8030da39707c5fa0fbb7ae9681
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2130425/+subscriptions
Комментариев нет:
Отправить комментарий