Bug#483310: openssl-blacklist: gen_certs.sh generates random certs

Wed, 28 May 2008 02:24:41 -0700 

Package: openssl-blacklist
Version: 0.3
Severity: normal

Trying to use gen_certs.sh to build a 4096 key blacklist, I first
decided to double check that it would indeed generate vulnerable keys.

As far as I can see, the result is a no:

sh-3.1# ./gen_certs.sh 1024
sh-3.1# for i in certs//key-* ; do openssl-vulnkey $i ; done | grep -i comprom
sh-3.1#

(All the keys come back as 'Not blacklisted'.)

I've also compared the first 6 keys generated by two separate runs:

Not blacklisted: b352e2d6f2fca45c6ee1a9ba8489eea20671c299
certs//key-2048-1-nornd.pem
Not blacklisted: 4a3fb7ca9616279c58246898569d70b298985e8c
certs//key-2048-2-nornd.pem
Not blacklisted: 17e694b5089283b31808e184f6ae86e41fa7cfc5
certs//key-2048-3-nornd.pem
Not blacklisted: 07de88f21028b632161582d15d1a46f1629633b5
certs//key-2048-4-nornd.pem
Not blacklisted: 6d5bf6b49773be6963c349ac960ffe0e5f212413
certs//key-2048-5-nornd.pem
Not blacklisted: 59e4541f5f1ea9cfe8a9d89d11563c22a18053ad
certs//key-2048-6-nornd.pem

Not blacklisted: d4d13d0a97a864a00a7488166cfff0f7c4643768
certs//key-2048-1-nornd.pem
Not blacklisted: ec46e456c29f4922ca8def00182a03f415d50994
certs//key-2048-2-nornd.pem
Not blacklisted: 55103f863dcc3a86d5fbc77dfa9011201696087e
certs//key-2048-3-nornd.pem
Not blacklisted: 7ce62d6e3be99e5ff4a31714288dcaf1158c171e
certs//key-2048-4-nornd.pem
Not blacklisted: 9faa75991184155fe9b434fbb062a441957434d5
certs//key-2048-5-nornd.pem
Not blacklisted: d806c21c2c451fce1bb40e660190c24cbf5a441a
certs//key-2048-6-nornd.pem

As you can see, the second run generated different keys.

Does gen_certs.sh only work when you put a vulnerable version of OpenSSL
onto the system? If yes, that should probably be mentioned somewhere as
otherwise blacklists generated with it are useless. The code makes it
look as if the script removed all randomness by cutting .rnd and using
getpid, but as shown above, the resulting keys are still fairly random.
(Or did I simply overlook something and am making a huge fool of myself
here? That's always a possibility too. ;) )

Greetings,
       Michel


-- System Information:
Debian Release: lenny/sid
  APT prefers stable
  APT policy: (700, 'stable'), (650, 'testing'), (600, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl-blacklist depends on:
ii  openssl                       0.9.8g-10  Secure Socket Layer (SSL) binary a
ii  python                        2.5.2-1    An interactive high-level object-o

openssl-blacklist recommends no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to