Ubuntu
s390-tools package

Merge ~fheimes/ubuntu/+source/s390-tools:s390-tools-sru-lp1968259+lp1968260-jammy into ubuntu/+source/s390-tools:ubuntu/jammy-devel

  1. Git
  2. lp:~fheimes/ubuntu/+source/s390-tools
  3. s390-tools-sru-lp1968259+lp1968260-jammy
  4. Merge into ubuntu/jammy-devel
Proposed by Frank Heimes
Status: Work in progress
Proposed branch: ~fheimes/ubuntu/+source/s390-tools:s390-tools-sru-lp1968259+lp1968260-jammy
Merge into: ubuntu/+source/s390-tools:ubuntu/jammy-devel
Diff against target: 383 lines (+355/-0)
4 files modified
debian/changelog (+11/-0)
debian/patches/673ff37-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch (+84/-0)
debian/patches/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch (+258/-0)
debian/patches/series (+2/-0)
Reviewer Review Type Date Requested Status
Canonical Foundations Team Pending
Review via email: mp+419052@code.launchpad.net

Description of the change

s390-tools-sru-lp1968259+lp1968260-jammy
  * d/p/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch
    Fix for genprotimg failing to process z15 host key documents
    after April 2022. (LP: #1968260)
  * d/p/673ff37-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
    Fixing check_hostkeydoc since it's checking the certificate issuer
    too strictly. (LP: #1968259)

Test build is available here:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1968259+lp1968260

To post a comment you must log in.

Unmerged commits

18fb177... by Frank Heimes

  * debian/changelog for
    d/p/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch
    d/p/673ff37-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch

646836b... by Frank Heimes

  * d/p/673ff37-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
    Fixing check_hostkeydoc since it's checking the certificate issuer
    too strictly.
    (LP: #1968259)

e53f460... by Frank Heimes

  * d/p/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch
    Fix for genprotimg failing to process z15 host key documents
    after April 2022.
    (LP: #1968260)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 5bda178..9c7b5ea 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,14 @@
6+s390-tools (2.20.0-0ubuntu2) jammy; urgency=medium
7+
8+ * d/p/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch
9+ Fix for genprotimg failing to process z15 host key documents
10+ after April 2022. (LP: #1968260)
11+ * d/p/673ff37-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
12+ Fixing check_hostkeydoc since it's checking the certificate issuer
13+ too strictly. (LP: #1968259)
14+
15+ -- Frank Heimes <frank.heimes@canonical.com> Fri, 08 Apr 2022 16:01:38 +0200
16+
17 s390-tools (2.20.0-0ubuntu1) jammy; urgency=medium
18
19 * New upstream release. LP: #1959420
20diff --git a/debian/patches/673ff37-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch b/debian/patches/673ff37-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
21new file mode 100644
22index 0000000..7d69069
23--- /dev/null
24+++ b/debian/patches/673ff37-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
25@@ -0,0 +1,84 @@
26+genprotimg/check_hostkeydoc: relax default issuer check
27+
28+While the original default issuer's organizationalUnitName (OU)
29+was defined as "IBM Z Host Key Signing Service", any OU ending
30+with "Key Signing Service" is considered legal.
31+
32+Let's relax the default issuer check by stripping off characters
33+preceding "Key Signing Service".
34+
35+Signed-off-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
36+Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
37+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
38+
39+Author: Viktor Mihajlovski <mihajlov@linux.ibm.com>
40+Origin: upstream, https://github.com/ibm-s390-tools/s390-tools673ff37
41+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1968259
42+Bug-IBM: BZ#197551
43+Applied-Upstream: > 2.20.0
44+Reviewed-by: Frank Heimes <frank.heimes@canonical.com>
45+Last-Update: 2022-04-08
46+
47+---
48+ genprotimg/samples/check_hostkeydoc | 20 ++++++++++++++++----
49+ 1 file changed, 16 insertions(+), 4 deletions(-)
50+
51+diff --git a/genprotimg/samples/check_hostkeydoc b/genprotimg/samples/check_hostkeydoc
52+index a96576fa..6a837390 100755
53+--- a/genprotimg/samples/check_hostkeydoc
54++++ b/genprotimg/samples/check_hostkeydoc
55+@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp)
56+ ISSUER_DN_FILE=$(mktemp)
57+ SUBJECT_DN_FILE=$(mktemp)
58+ DEF_ISSUER_DN_FILE=$(mktemp)
59++CANONICAL_ISSUER_DN_FILE=$(mktemp)
60+ CRL_SERIAL_FILE=$(mktemp)
61+
62+ # Cleanup on exit
63+@@ -30,7 +31,7 @@ cleanup()
64+ {
65+ rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \
66+ $ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \
67+- $CRL_SERIAL_FILE
68++ $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE
69+ }
70+ trap cleanup EXIT
71+
72+@@ -121,20 +122,31 @@ default_issuer()
73+ commonName = International Business Machines Corporation
74+ countryName = US
75+ localityName = Poughkeepsie
76+- organizationalUnitName = IBM Z Host Key Signing Service
77++ organizationalUnitName = Key Signing Service
78+ organizationName = International Business Machines Corporation
79+ stateOrProvinceName = New York
80+ EOF
81+ }
82+
83+-verify_issuer_files()
84++# As organizationalUnitName can have an arbitrary prefix but must
85++# end with "Key Signing Service" let's normalize the OU name by
86++# stripping off the prefix
87++verify_default_issuer()
88+ {
89+ default_issuer > $DEF_ISSUER_DN_FILE
90+
91+- if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
92++ sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \
93++ $ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE
94++
95++ if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
96+ then
97+ echo Incorrect default issuer >&2 && exit 1
98+ fi
99++}
100++
101++verify_issuer_files()
102++{
103++ verify_default_issuer
104+
105+ if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE
106+ then
107+--
108+2.25.1
109+
110diff --git a/debian/patches/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch b/debian/patches/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch
111new file mode 100644
112index 0000000..1defa2d
113--- /dev/null
114+++ b/debian/patches/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch
115@@ -0,0 +1,258 @@
116+genprotimg: remove DigiCert root CA pinning
117+
118+Remove the DigiCert root CA pinning. The root CA used for the chain of trust can
119+change in the future therefore let's remove this check. If someone wants to
120+enforce the usage of a specific root CA it can be selected by the genprotimg
121+command line option `--root-ca $CA`. Make it transparent to the user which root
122+CA is actually being used by printing the subject name of the root CA to stdout
123+in verbose mode.
124+
125+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
126+Acked-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
127+Reviewed-and-tested-by: Nico Boehr <nrb@linux.ibm.com>
128+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
129+
130+Author: Marc Hartmayer <mhartmay@linux.ibm.com>
131+Origin: upstream, https://github.com/ibm-s390-tools/s390-tools78b0533
132+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1968260
133+Bug-IBM: BZ#197550
134+Applied-Upstream: > 2.20.0
135+Reviewed-by: Frank Heimes <frank.heimes@canonical.com>
136+Last-Update: 2022-04-08
137+
138+---
139+ genprotimg/man/genprotimg.8 | 2 +-
140+ genprotimg/src/include/pv_crypto_def.h | 3 --
141+ genprotimg/src/pv/pv_args.c | 2 +-
142+ genprotimg/src/pv/pv_image.c | 27 ++++++---------
143+ genprotimg/src/utils/crypto.c | 48 +++++++++++---------------
144+ genprotimg/src/utils/crypto.h | 4 +--
145+ 6 files changed, 35 insertions(+), 51 deletions(-)
146+
147+diff --git a/genprotimg/man/genprotimg.8 b/genprotimg/man/genprotimg.8
148+index 81929926..460c1d79 100644
149+--- a/genprotimg/man/genprotimg.8
150++++ b/genprotimg/man/genprotimg.8
151+@@ -87,7 +87,7 @@ CRLs. Optional.
152+ .TP
153+ \fB\-\-root\-ca\fR=\fI\,FILE\/\fR
154+ Specifies the root CA certificate for the verification. If omitted,
155+-the DigiCert root CA certificate installed on the system is used. Use
156++the system wide root CAs installed on the system is used. Use
157+ this only if you trust the specified certificate. Optional.
158+ .TP
159+ \fB\-\-no-verify\fR
160+diff --git a/genprotimg/src/include/pv_crypto_def.h b/genprotimg/src/include/pv_crypto_def.h
161+index 53984a3d..3635433c 100644
162+--- a/genprotimg/src/include/pv_crypto_def.h
163++++ b/genprotimg/src/include/pv_crypto_def.h
164+@@ -29,9 +29,6 @@
165+ */
166+ #define PV_CERTS_SECURITY_LEVEL 2
167+
168+-/* SKID for DigiCert Assured ID Root CA */
169+-#define DIGICERT_ASSURED_ID_ROOT_CA_SKID "45EBA2AFF492CB82312D518BA7A7219DF36DC80F"
170+-
171+ union ecdh_pub_key {
172+ struct {
173+ uint8_t x[80];
174+diff --git a/genprotimg/src/pv/pv_args.c b/genprotimg/src/pv/pv_args.c
175+index 000eb9a0..c67ae99f 100644
176+--- a/genprotimg/src/pv/pv_args.c
177++++ b/genprotimg/src/pv/pv_args.c
178+@@ -123,7 +123,7 @@ static gint pv_args_validate_options(PvArgs *args, GError **err)
179+ g_strv_length(args->untrusted_cert_paths) == 0)) {
180+ g_set_error(
181+ err, PV_PARSE_ERROR, PR_PARSE_ERROR_MISSING_ARGUMENT,
182+- _("Either specify the IBM Z signing key and (DigiCert) intermediate CA certificate\n"
183++ _("Either specify the IBM Z signing key and intermediate CA certificate\n"
184+ "by using the '--cert' option, or use the '--no-verify' flag to disable the\n"
185+ "host-key document verification completely (at your own risk)."));
186+ return -1;
187+diff --git a/genprotimg/src/pv/pv_image.c b/genprotimg/src/pv/pv_image.c
188+index 1ccb0fce..8399901d 100644
189+--- a/genprotimg/src/pv/pv_image.c
190++++ b/genprotimg/src/pv/pv_image.c
191+@@ -311,9 +311,10 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
192+ }
193+
194+ /* Load all untrusted certificates (e.g. IBM Z signing key and
195+- * DigiCert intermediate CA) that are required to establish a chain of
196+- * trust starting from the host-key document up to the root CA (if not
197+- * otherwise specified that's the DigiCert Assured ID Root CA).
198++ * intermediate CA) that are required to establish a chain of trust
199++ * starting from the host-key document up to the root CA (if not
200++ * otherwise specified that can be one of the system wide installed
201++ * root CAs, e.g. DigiCert).
202+ */
203+ untrusted_certs_with_path = load_certificates(untrusted_cert_paths, err);
204+ if (!untrusted_certs_with_path)
205+@@ -348,9 +349,8 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
206+ * For this we must check:
207+ *
208+ * 1. Can a chain of trust be established ending in a root CA
209+- * 2. Is the correct root CA ued? It has either to be the
210+- * 'DigiCert Assured ID Root CA' or the root CA specified via
211+- * command line.
212++ * 2. Is the correct root CA used? It has either to be a system CA
213++ * or the root CA specified via command line.
214+ */
215+ for (gint i = 0; i < sk_X509_num(ibm_signing_certs); ++i) {
216+ X509 *ibm_signing_cert = sk_X509_value(ibm_signing_certs, i);
217+@@ -371,17 +371,12 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
218+ if (verify_cert(ibm_signing_cert, ctx, err) < 0)
219+ goto error;
220+
221+- /* Verify the build chain of trust chain. If the user passes a
222+- * trusted root CA on the command line then the check for the
223+- * Subject Key Identifier (SKID) is skipped, otherwise let's
224+- * check if the SKID meets our expectation.
225++ /* If there is a chain of trust using either the provided root
226++ * CA on the command line or a system wide trusted root CA.
227+ */
228+- if (!root_ca_path &&
229+- check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
230+- get_digicert_assured_id_root_ca_skid(),
231+- err) < 0) {
232++ if (check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
233++ err) < 0)
234+ goto error;
235+- }
236+
237+ ibm_signing_crls = store_ctx_find_valid_crls(ctx, ibm_signing_cert, err);
238+ if (!ibm_signing_crls) {
239+@@ -595,7 +590,7 @@ PvImage *pv_img_new(PvArgs *args, const gchar *stage3a_path, GError **err)
240+ g_warning(_("host-key document verification is disabled. Your workload is not secured."));
241+
242+ if (args->root_ca_path)
243+- g_warning(_("A different root CA than the default DigiCert root CA is selected. Ensure that this root CA is trusted."));
244++ g_warning(_("The root CA is selected through the command line. Ensure that this root CA is trusted."));
245+
246+ ret->comps = pv_img_comps_new(EVP_sha512(), EVP_sha512(), EVP_sha512(), err);
247+ if (!ret->comps)
248+diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c
249+index 96726095..7745b392 100644
250+--- a/genprotimg/src/utils/crypto.c
251++++ b/genprotimg/src/utils/crypto.c
252+@@ -1079,8 +1079,8 @@ int store_set_verify_param(X509_STORE *store, GError **err)
253+ g_abort();
254+
255+ /* The maximum depth level of the chain of trust for the verification of
256+- * the IBM Z signing key is 2, i.e. IBM Z signing key -> (DigiCert)
257+- * intermediate CA -> (DigiCert) root CA
258++ * the IBM Z signing key is 2, i.e. IBM Z signing key -> intermediate CA
259++ * -> root CA
260+ */
261+ X509_VERIFY_PARAM_set_depth(param, 2);
262+
263+@@ -1267,46 +1267,38 @@ static int security_level_to_bits(int level)
264+ return security_bits[level];
265+ }
266+
267+-static ASN1_OCTET_STRING *digicert_assured_id_root_ca;
268+-
269+-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void)
270+-{
271+- pv_crypto_init();
272+- return digicert_assured_id_root_ca;
273+-}
274+-
275+ /* Used for the caching of the downloaded CRLs */
276+ static GHashTable *cached_crls;
277+
278+ void pv_crypto_init(void)
279+ {
280+- if (digicert_assured_id_root_ca)
281++ if (cached_crls)
282+ return;
283+-
284+ cached_crls = g_hash_table_new_full(g_str_hash, g_str_equal, g_free,
285+ (GDestroyNotify)X509_CRL_free);
286+- digicert_assured_id_root_ca = s2i_ASN1_OCTET_STRING(
287+- NULL, NULL, DIGICERT_ASSURED_ID_ROOT_CA_SKID);
288+ }
289+
290+ void pv_crypto_cleanup(void)
291+ {
292+- if (!digicert_assured_id_root_ca)
293++ if (!cached_crls)
294+ return;
295+ g_clear_pointer(&cached_crls, g_hash_table_destroy);
296+- g_clear_pointer(&digicert_assured_id_root_ca, ASN1_OCTET_STRING_free);
297+ }
298+
299+ gint check_chain_parameters(const STACK_OF_X509 *chain,
300+- const ASN1_OCTET_STRING *skid, GError **err)
301++ GError **err)
302+ {
303+- const ASN1_OCTET_STRING *ca_skid = NULL;
304++ const X509_NAME *ca_x509_subject = NULL;
305++ g_autofree gchar *ca_subject = NULL;
306+ gint len = sk_X509_num(chain);
307+ X509 *ca = NULL;
308+
309+- g_assert(skid);
310+ /* at least one root and one leaf certificate must be defined */
311+- g_assert(len >= 2);
312++ if (len < 2) {
313++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
314++ _("there must be at least on root and one leaf certificate in the chain of trust"));
315++ return -1;
316++ }
317+
318+ /* get the root certificate of the chain of trust */
319+ ca = sk_X509_value(chain, len - 1);
320+@@ -1316,19 +1308,21 @@ gint check_chain_parameters(const STACK_OF_X509 *chain,
321+ return -1;
322+ }
323+
324+- ca_skid = X509_get0_subject_key_id(ca);
325+- if (!ca_skid) {
326+- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_MALFORMED_ROOT_CA,
327+- _("malformed root certificate"));
328++ ca_x509_subject = X509_get_subject_name(ca);
329++ if (!ca_x509_subject) {
330++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
331++ _("subject of the root CA cannot be retrieved"));
332+ return -1;
333+ }
334+
335+- if (ASN1_STRING_cmp(ca_skid, skid) != 0) {
336+- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_WRONG_CA_USED,
337+- _("expecting DigiCert root CA to be used"));
338++ ca_subject = X509_NAME_oneline(ca_x509_subject, NULL, 0);
339++ if (!ca_subject) {
340++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
341++ _("subject name of the root CA cannot be retrieved"));
342+ return -1;
343+ }
344+
345++ g_info("Root CA used: '%s'", ca_subject);
346+ return 0;
347+ }
348+
349+diff --git a/genprotimg/src/utils/crypto.h b/genprotimg/src/utils/crypto.h
350+index 3cda4507..fdf66de2 100644
351+--- a/genprotimg/src/utils/crypto.h
352++++ b/genprotimg/src/utils/crypto.h
353+@@ -125,7 +125,6 @@ int check_crl_valid_for_cert(X509_CRL *crl, X509 *cert,
354+ gint verify_flags, GError **err);
355+ void pv_crypto_init(void);
356+ void pv_crypto_cleanup(void);
357+-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void);
358+ gint verify_host_key(X509 *host_key, GSList *issuer_pairs,
359+ gint verify_flags, int level, GError **err);
360+ X509 *load_cert_from_file(const char *path, GError **err);
361+@@ -138,8 +137,7 @@ X509_STORE *store_setup(const gchar *root_ca_path,
362+ int store_set_verify_param(X509_STORE *store, GError **err);
363+ X509_CRL *load_crl_by_cert(X509 *cert, GError **err);
364+ STACK_OF_X509_CRL *try_load_crls_by_certs(GSList *certs_with_path);
365+-gint check_chain_parameters(const STACK_OF_X509 *chain,
366+- const ASN1_OCTET_STRING *skid, GError **err);
367++gint check_chain_parameters(const STACK_OF_X509 *chain, GError **err);
368+ X509_NAME *c2b_name(const X509_NAME *name);
369+
370+ STACK_OF_X509 *delete_ibm_signing_certs(STACK_OF_X509 *certs);
371+--
372+2.25.1
373+
374diff --git a/debian/patches/series b/debian/patches/series
375index bf63586..704198b 100644
376--- a/debian/patches/series
377+++ b/debian/patches/series
378@@ -13,3 +13,5 @@ ee2c6d4-zipl-Allow-optional-entries-that-are-left-out-when-f.patch
379 a9e13a2d-genprotimg-introduce-macro-for-the-control-flags-and.patch
380 0906293c-genprotimg-enable-pckmo-and-disable-pckmo-are-mutual.patch
381 5394cd36-genprotimg-add-PV-guest-dump-support.patch
382+78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch
383+673ff37-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch

Subscribers

People subscribed via source and target branches