Package: openssl-blacklist
Version: 0.3
Severity: wishlist
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It would be nice if you could run openssl-blacklist against a
certificate supplied on stdin, rather than needing to create a local
file.
This would allow simple loops like:
for foo in hosta hostb hostc; do
echo | openssl s_client -connect $foo | openssl-vulnkey -
done
and similar conveniences for beleaguered system administrators.
I've attached a patch which allows for this (by creating a tempfile,
since so much of the code is predicated on the tested cert's existence
in the filesystem), and i've patched the documentation as well.
This patch includes a fix for a minor bug in the man page, as well as
what appears to be a variable substitution in the handling of the
"Problem finding modulus". If you'd like, i can file those minor bugs
separately.
Thanks for providing this tool -- it's useful in a time like this.
Regards,
--dkg
- -- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (101, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssl-blacklist depends on:
ii openssl 0.9.8g-10 Secure Socket Layer (SSL) binary a
ii python 2.5.2-1 An interactive high-level object-o
openssl-blacklist recommends no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQIVAwUBSDW17czS7ZTSFznpAQIbYA//Sr8jRIpb6UEsQDij3V95a5r3pegWRP2A
qPJmNgfHfhY1RQt6SSjGp92CAtq7BFAGriOLBnAHkWpCcWi9xIRRNYR1Oa5jJ87W
ykZKmbxjrZCsjQNp7hg1Z82JArCyYQlveHqgJb0Ub8OKEfaMNJO2n5NB84MAsFy1
t/FLBBjjYZO463/OTRY5rOE8AJlE0thU1p5dKLS8tFrtAM6wgYt1Y5N4kDSHNU3W
3xrtxlOD067MulvohNv43uAUvNJSJor9Kpj47kBstJsBMM75392pqySBfBwFHQsv
M/u/ljVV80P4G0BoN4rTaCu0lshCXo4BMtZTbmopaP3ent8+K7e5DP7lCBI3KVnZ
QtvO6LGlx6T/ckHdOSPTFZL42GjngsUbXWqUh/h/csX20/MU1fsiRanpGLQ6gi6E
2ex3HcKJ1aXsmD855xuH/QOu/83qSU2TZsLreewCQXLYm/UuRZXPXED56PFBeW9Z
nxdY0wW5cPAE/KKhopZlOCzxhWWkI1P2tfgLfyBm1gBKyHEWGoVsmGBxUTeE1BlV
mk2rWg0RPFOwxbtQC/Md+OAsat/fVr9GZuNpdJxTGhcMcJv0yGtS3Pvj1Q6w5qpu
4e4XJ6iDPdjAihVkHnnymk3sXsGlQqKSSBLEY3cropb11CGN+8Ddt67Gn+oAhDMs
wP/oDslcWx0=
=cqIw
-----END PGP SIGNATURE-----
Common subdirectories: openssl-blacklist-0.3/debian and openssl-blacklist-0.3.dkg/debian
Common subdirectories: openssl-blacklist-0.3/examples and openssl-blacklist-0.3.dkg/examples
diff -u openssl-blacklist-0.3/openssl-vulnkey openssl-blacklist-0.3.dkg/openssl-vulnkey
--- openssl-blacklist-0.3/openssl-vulnkey 2008-05-20 12:16:47.000000000 -0400
+++ openssl-blacklist-0.3.dkg/openssl-vulnkey 2008-05-22 13:31:39.000000000 -0400
@@ -24,6 +24,8 @@
import sha
import subprocess
import sys
+import tempfile
+import shutil
version = "0.1.1"
db_prefix = "/usr/share/openssl-blacklist/blacklist.RSA-"
@@ -109,23 +111,37 @@
# Check each file
found = False
+tempname = False
for f in args:
+ realname = f
+
+ if f == "-":
+ os.umask(077)
+ if (tempname):
+ os.unlink(tempname)
+ # dump stdin to tmpfile, operate on tmpfile instead
+ (temph,tempname) = tempfile.mkstemp()
+ temph = os.fdopen(temph, 'w')
+ shutil.copyfileobj(sys.stdin,temph)
+ temph.close()
+ f = tempname
+
if not os.path.exists(f):
if not options.quiet:
- print >> sys.stderr, "'%s' could not be opened (skipping)" % (f)
+ print >> sys.stderr, "'%s' could not be opened (skipping)" % (realname)
continue
type = get_type(f)
if type == "":
if not options.quiet:
- print >> sys.stderr, "'%s' is not x509 or rsa (skipping)" % (f)
+ print >> sys.stderr, "'%s' is not x509 or rsa (skipping)" % (realname)
continue
last_bits = ""
bits = get_bits(f, type)
if bits == "":
if not options.quiet:
- print >> sys.stderr, "Key has unknown validity: %s" % (f)
+ print >> sys.stderr, "Key has unknown validity: %s" % (realname)
continue
if last_bits != bits:
@@ -136,7 +152,7 @@
except:
try:
print >> sys.stderr, "WARN: could not open database for %s " \
- "bits (skipping %s)" % (bits, f)
+ "bits (skipping %s)" % (bits, realname)
except IOError:
pass
continue
@@ -148,18 +164,21 @@
modulus = get_modulus(f, type)
if modulus == "":
if not options.quiet:
- print >> sys.stderr, "Problem finding modulus: %s" % (file)
+ print >> sys.stderr, "Problem finding modulus: %s" % (realname)
continue
key = sha.sha(modulus).hexdigest()
#print "bits: %s\nmodulus: %s\nkey: %s\nkey80: %s" % (bits, modulus, key, key[20:])
if key[20:] in db_lines:
if not options.quiet:
- print "COMPROMISED: %s %s" % (key, f)
+ print "COMPROMISED: %s %s" % (key, realname)
found = True
else:
if not options.quiet:
- print "Not blacklisted: %s %s" % (key, f)
+ print "Not blacklisted: %s %s" % (key, realname)
+
+if tempname:
+ os.unlink(tempname)
if found:
sys.exit(1)
diff -u openssl-blacklist-0.3/openssl-vulnkey.1 openssl-blacklist-0.3.dkg/openssl-vulnkey.1
--- openssl-blacklist-0.3/openssl-vulnkey.1 2008-05-20 12:16:47.000000000 -0400
+++ openssl-blacklist-0.3.dkg/openssl-vulnkey.1 2008-05-22 13:51:54.000000000 -0400
@@ -45,10 +45,25 @@
must be generated using
.Xr openssl 8 .
.Pp
+If
+.Dq -
+is given as an argument,
+.Nm
+will read from standard input.
+This can be used to process certificate output from
+.Xr s_client 1ssl ,
+for example:
+.Pp
+.Dl $ echo | openssl s_client -connect remote.example.org:https | openssl-vulnkey -
+.Pp
+will test the certificate used by remote.example.org for HTTPS.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
.It Fl q
Quiet mode.
Normally,
-.Xr openssl-vulnkey 1
+.Nm
outputs the fingerprint of each file scanned, with a description of its
status.
This option suppresses that output.