import OL opencryptoki-3.25.0-4.el9_7.1

2026-02-18 08:09:07 +00:00 · 2026-02-18 08:09:07 +00:00 · 532501cd19
commit 532501cd19
parent eeda4c4af7
3 changed files with 180 additions and 1 deletions
--- a/SOURCES/opencryptoki-3.25.0-fix-private-secure-key-blob-import.patch
+++ b/SOURCES/opencryptoki-3.25.0-fix-private-secure-key-blob-import.patch
@ -0,0 +1,116 @@
+commit ab740fd0d596914919719ecbee90b0ad5fbb7112
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon Nov 10 08:54:23 2025 +0100
+
+    EP11: Fix private secure key blob import
+    
+    Newer EP11 firmware versions do not allow to get attribute CKA_VALUE_LEN
+    for private keys, because CKA_VALUE_LEN is not defined for these
+    key types. This now causes error CKR_ATTRIBUTE_TYPE_INVALID.
+    Older firmware versions ignored that and did not fail if CKA_VALUE_LEN
+    was attempted to be retrieved.
+    
+    Use separate templates for getting the attributes of public, private or
+    secret keys, and get CKA_VALUE_LEN only for secret keys.
+    
+    Fixes: 169ab762c283ca341350580c2c080720e62967e8
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
+index 4e6944e6..b6a9c014 100644
+--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
+@@ -5386,13 +5386,24 @@ static CK_RV import_blob(STDLL_TokData_t *tokdata, SESSION *sess, OBJECT *obj,
+     CK_KEY_TYPE blob_type2 = CK_UNAVAILABLE_INFORMATION;
+     CK_ULONG value_len, value_len2, stdcomp, stdcomp2;
+     CK_BYTE buf[MAX_BLOBSIZE];
+-    CK_ATTRIBUTE get_attr[] = {
+-        { CKA_KEY_TYPE, &blob_type, sizeof(blob_type) }, /* must be first */
+    CK_ATTRIBUTE get_attr_pub[] = {
+        { CKA_KEY_TYPE, &blob_type, sizeof(blob_type) },
+    };
+    CK_ULONG get_attr_pub_num = sizeof(get_attr_pub) / sizeof(CK_ATTRIBUTE);
+    CK_ATTRIBUTE get_attr_priv[] = {
+        { CKA_KEY_TYPE, &blob_type, sizeof(blob_type) },
+        { CKA_IBM_STD_COMPLIANCE1, &stdcomp, sizeof(stdcomp) },
+        { CKA_PUBLIC_KEY_INFO, &buf, sizeof(buf) },
+    };
+    CK_ULONG get_attr_priv_num = sizeof(get_attr_priv) / sizeof(CK_ATTRIBUTE);
+    CK_ATTRIBUTE get_attr_sec[] = {
+        { CKA_KEY_TYPE, &blob_type, sizeof(blob_type) },
+         { CKA_VALUE_LEN, &value_len, sizeof(value_len) },
+         { CKA_IBM_STD_COMPLIANCE1, &stdcomp, sizeof(stdcomp) },
+-        { CKA_PUBLIC_KEY_INFO, &buf, sizeof(buf) } /* SPKI must be last */
+     };
+-    CK_ULONG get_attr_num = sizeof(get_attr) / sizeof(CK_ATTRIBUTE);
+    CK_ULONG get_attr_sec_num = sizeof(get_attr_sec) / sizeof(CK_ATTRIBUTE);
+    CK_ATTRIBUTE *get_attr = NULL;
+    CK_ULONG get_attr_num = 0;
+     CK_ATTRIBUTE get_attr2[] = {
+         { CKA_KEY_TYPE, &blob_type2, sizeof(blob_type2) },
+         { CKA_VALUE_LEN, &value_len2, sizeof(value_len2) },
+@@ -5629,10 +5640,22 @@ static CK_RV import_blob(STDLL_TokData_t *tokdata, SESSION *sess, OBJECT *obj,
+         }
+     }
+ 
+-    if (class == CKO_PUBLIC_KEY)
+-        get_attr_num = 1; /* get only key type for public key */
+-    if (class == CKO_SECRET_KEY)
+-        get_attr_num--; /* don't get SPKI for secret key */
+    switch (class) {
+    case CKO_PUBLIC_KEY:
+        get_attr = get_attr_pub;
+        get_attr_num = get_attr_pub_num;
+        break;
+    case CKO_PRIVATE_KEY:
+        get_attr = get_attr_priv;
+        get_attr_num = get_attr_priv_num;
+        break;
+    case CKO_SECRET_KEY:
+        get_attr = get_attr_sec;
+        get_attr_num = get_attr_sec_num;
+        break;
+    default:
+        return CKR_KEY_TYPE_INCONSISTENT;
+    }
+ 
+     /* Get Key type and SPKI for private keys */
+     blob1_len = keytype == CKK_AES_XTS ? blob_len / 2 : blob_len;
+@@ -5713,8 +5736,8 @@ static CK_RV import_blob(STDLL_TokData_t *tokdata, SESSION *sess, OBJECT *obj,
+ 
+     case CKO_PRIVATE_KEY:
+         rc = import_blob_private_public(tokdata, sess, obj, keytype,
+-                                        get_attr[get_attr_num - 1].pValue,
+-                                        get_attr[get_attr_num - 1].ulValueLen,
+                                        get_attr_priv[get_attr_priv_num - 1].pValue,
+                                        get_attr_priv[get_attr_priv_num - 1].ulValueLen,
+                                         FALSE);
+         if (rc != CKR_OK) {
+             TRACE_ERROR("%s import_blob_public failed rc=0x%lx\n",
+@@ -5733,15 +5756,17 @@ static CK_RV import_blob(STDLL_TokData_t *tokdata, SESSION *sess, OBJECT *obj,
+         break;
+     }
+ 
+-    rc = template_build_update_attribute(obj->template, CKA_IBM_STD_COMPLIANCE1,
+-                                         (CK_BYTE *)&stdcomp, sizeof(stdcomp));
+-    if (rc != CKR_OK) {
+-        TRACE_ERROR("%s template_build_update_attribute failed rc=0x%lx\n",
+-                    __func__, rc);
+-        return rc;
+-    }
+-
+     if (class != CKO_PUBLIC_KEY) {
+        rc = template_build_update_attribute(obj->template,
+                                             CKA_IBM_STD_COMPLIANCE1,
+                                             (CK_BYTE *)&stdcomp,
+                                             sizeof(stdcomp));
+        if (rc != CKR_OK) {
+            TRACE_ERROR("%s template_build_update_attribute failed rc=0x%lx\n",
+                        __func__, rc);
+            return rc;
+        }
+
+         /* Set CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE */
+         rc = key_mgr_apply_always_sensitive_never_extractable_attrs(tokdata,
+                                                                     obj);
--- a/SOURCES/opencryptoki-3.25.0-fix-unwrapping-attribute-bound-EC-keys.patch
+++ b/SOURCES/opencryptoki-3.25.0-fix-unwrapping-attribute-bound-EC-keys.patch
@ -0,0 +1,50 @@
+commit d3dc88c720fdbf56a64f3990148387649f366aeb
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Thu Nov 6 15:27:36 2025 +0100
+
+    EP11: Fix unwrapping of attribute bound EC keys
+    
+    Newer EP11 firmware versions do not allow to get attribute CKA_VALUE_LEN
+    for non-symmetric keys, because CKA_VALUE_LEN is not defined for these
+    key types. This now causes error CKR_ATTRIBUTE_TYPE_INVALID.
+    Older firmware versions ignored that and did not fail if CKA_VALUE_LEN
+    was attempted to be retrieved.
+    
+    Fix this by only attempting to obtain CKA_VALUE_LEN for keys that support
+    this attribute.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
+index 1baa5443..4e6944e6 100644
+--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
+@@ -2222,17 +2222,26 @@ static CK_RV ab_unwrap_update_template(STDLL_TokData_t * tokdata,
+         {CKA_KEY_TYPE,          &template_keytype,  sizeof(template_keytype)},
+         {CKA_VALUE_LEN,         &valuelen,          sizeof(valuelen)},
+     };
+    CK_ULONG num_attrs = sizeof(attrs) / sizeof(CK_ATTRIBUTE);
+     CK_ULONG i;
+     CK_ATTRIBUTE *attr;
+     CK_BBOOL cktrue = TRUE;
+     CK_BYTE *useblob;
+     size_t useblob_len;
+ 
+    switch (keytype) {
+    case CKK_GENERIC_SECRET:
+    case CKK_AES:
+        break;
+    default:
+        num_attrs -= 1; /* No CKA_VALUE_LEN attribute */
+        break;
+    }
+
+     RETRY_SESSION_SINGLE_APQN_START(rc, tokdata)
+     RETRY_REENC_BLOB_START(tokdata, target_info, obj, blob, blob_len,
+                            useblob, useblob_len, rc)
+-        rc = dll_m_GetAttributeValue(useblob, useblob_len, attrs,
+-                                     sizeof(attrs) / sizeof(CK_ATTRIBUTE),
+        rc = dll_m_GetAttributeValue(useblob, useblob_len, attrs, num_attrs,
+                                      target_info->target);
+     RETRY_REENC_BLOB_END(tokdata, target_info, useblob, useblob_len, rc)
+     RETRY_SESSION_SINGLE_APQN_END(rc, tokdata, session)
--- a/SPECS/opencryptoki.spec
+++ b/SPECS/opencryptoki.spec
@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 and partially v3.1
 Version: 3.25.0
-Release: 4%{?dist}
+Release: 4%{?dist}.1
 License: CPL-1.0
 URL: https://github.com/opencryptoki/opencryptoki
 Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -28,6 +28,14 @@ Patch11: opencryptoki-3.25.0-covscan-findings.patch
 # Remove the use of MD5, pkcsslotd crashes in FIPS mode
 Patch12: opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch

+# EP11: Fix unwrapping of attribute bound EC keys
+# https://github.com/ifranzki/opencryptoki/commit/d3dc88c
+Patch13: opencryptoki-3.25.0-fix-unwrapping-attribute-bound-EC-keys.patch
+
+# EP11: Fix private secure key blob import
+# https://github.com/ifranzki/opencryptoki/commit/ab740fd
+Patch14: opencryptoki-3.25.0-fix-private-secure-key-blob-import.patch
+
 Requires(pre): coreutils
 Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
 BuildRequires: gcc gcc-c++
@ -413,6 +421,11 @@ fi


 %changelog
+* Tue Feb 03 2026 Than Ngo <than@redhat.com> - 3.25.0-4.1
+- Fix unwrapping of attribute bound EC keys
+- Fix private secure key blob import
+  Resolves: RHEL-131644
+
 * Wed Aug 13 2025 Than Ngo <than@redhat.com> - 3.25.0-4
 - Fix pkcsslotd fails to start in FIPS
 - Drop tier1 test as it mostly provides duplicate results