Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:Update
s390-tools.27266
s390-tools-sles15sp3-02-genprotimg-check_hostke...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File s390-tools-sles15sp3-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch of Package s390-tools.27266
Subject: [PATCH] [BZ 197604] genprotimg/check_hostkeydoc: relax default issuer check From: Marc Hartmayer <mhartmay@linux.ibm.com> Description: genprotimg/check_hostkeydoc: cert. verification is too strict Symptom: Verification failures will occur for newer host key documents Problem: The certificate verification of check_hostkeydoc is too strict and doesn't match the checking performed by genprotimg. This applies to the OU field in the issuer DN of the host key document. As a consequence verification failures will occur for host key documents issued for hardware generations newer than IBM z15. DigiCert is the CA issuing the signing certificate for Secure Execution host key documents. This certificate is used for the verification of the host key document validity. Recently, DigiCert has changed the root CA certificate used for issuance of the signing certificates. As genprotimg is checking the CA serial, the verification of the chain of trust will fail. As a workaround, it is possible to disable certificate verification, but this is not recommended because it makes it easier to provide a fake host key document. Since the previously issued host key documents are expiring in April 2022, it is necessary to fix genprotimg to accept the newly issued host key documents. Solution: Relax the certificate verification Reproduction: Use a new host key document Upstream-ID: 673ff375d939d3cde674f8f99a62d456f8b1673d Problem-ID: 197604 Upstream-Description: genprotimg/check_hostkeydoc: relax default issuer check While the original default issuer's organizationalUnitName (OU) was defined as "IBM Z Host Key Signing Service", any OU ending with "Key Signing Service" is considered legal. Let's relax the default issuer check by stripping off characters preceding "Key Signing Service". Signed-off-by: Viktor Mihajlovski <mihajlov@linux.ibm.com> Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com> Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com> Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com> Index: s390-tools-service/genprotimg/samples/check_hostkeydoc =================================================================== --- s390-tools-service.orig/genprotimg/samples/check_hostkeydoc +++ s390-tools-service/genprotimg/samples/check_hostkeydoc @@ -23,6 +23,7 @@ BODY_FILE=$(mktemp) ISSUER_DN_FILE=$(mktemp) SUBJECT_DN_FILE=$(mktemp) DEF_ISSUER_DN_FILE=$(mktemp) +CANONICAL_ISSUER_DN_FILE=$(mktemp) CRL_SERIAL_FILE=$(mktemp) # Cleanup on exit @@ -30,7 +31,7 @@ cleanup() { rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \ $ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \ - $CRL_SERIAL_FILE + $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE } trap cleanup EXIT @@ -121,20 +122,31 @@ default_issuer() commonName = International Business Machines Corporation countryName = US localityName = Poughkeepsie - organizationalUnitName = IBM Z Host Key Signing Service + organizationalUnitName = Key Signing Service organizationName = International Business Machines Corporation stateOrProvinceName = New York EOF } -verify_issuer_files() +# As organizationalUnitName can have an arbitrary prefix but must +# end with "Key Signing Service" let's normalize the OU name by +# stripping off the prefix +verify_default_issuer() { default_issuer > $DEF_ISSUER_DN_FILE - if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE + sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \ + $ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE + + if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE then echo Incorrect default issuer >&2 && exit 1 fi +} + +verify_issuer_files() +{ + verify_default_issuer if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE then
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor