subject:"Re\: \[openssl\-users\] openssl rsa \-check"

Re: [openssl-users] openssl rsa -check

2017-07-30 Thread Georg Höllrigl

Wow that was fast

Keep up that awsome work!

 

Thank you.

 

Kind Regards,

Georg

 

 

Von: openssl-users [mailto:openssl-users-boun...@openssl.org] Im Auftrag von 
Paul Yang
Gesendet: Freitag, 28. Juli 2017 18:34
An: Openssl Users <openssl-users@openssl.org>
Betreff: Re: [openssl-users] openssl rsa -check

 

Please refer to this: https://github.com/openssl/openssl/pull/4043

 

On 29 Jul 2017, at 00:21, Paul Yang <paulyang@gmail.com 
<mailto:paulyang@gmail.com> > wrote:

 

Hmmm, it’s a bug introduced by the use of RSA_check_key_ex function. Thanks for 
reporting.

 

On 28 Jul 2017, at 19:16, Georg Höllrigl <georg.hoellr...@gmx.at 
<mailto:georg.hoellr...@gmx.at> > wrote:

 

Hello,

 

I think there is something broken with verifying the Private Key with "openssl 
rsa -check" like it was described in 
https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html

 

I tried to implement better checking in a script that tells me if a key matches 
a certificate or certificate request.

 

To reproduce, get the fake private key from 
https://github.com/hannob/tlshelpers/blob/master/examples/symantec.key

 

Verify the key with openssl 1.0.1e-fips or 1.0.2h:

$OPENSSL rsa -in symantec-broken.key -check -noout
RSA key error: n does not equal p q

 

Verify the key with openssl 1.1.0c or 1.1.0f (gives no output)

$OPENSSL rsa -in symantec-broken.key -check -noout

 

 

I would expect 1.1.0 to report the faked key in some way.

Even the returnvalue for openssl returns with a 0 no matter if used a legimate 
key or a faked key.

 

 

 

Kind Regards,

Georg

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

 

 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl rsa -check

2017-07-28 Thread Paul Yang

Please refer to this: https://github.com/openssl/openssl/pull/4043 


> On 29 Jul 2017, at 00:21, Paul Yang  > wrote:
> 
> Hmmm, it’s a bug introduced by the use of RSA_check_key_ex function. Thanks 
> for reporting.
> 
>> On 28 Jul 2017, at 19:16, Georg Höllrigl > > wrote:
>> 
>> Hello,
>>  
>> I think there is something broken with verifying the Private Key with 
>> "openssl rsa -check" like it was described in 
>> https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html
>>  
>> 
>>  
>> I tried to implement better checking in a script that tells me if a key 
>> matches a certificate or certificate request.
>>  
>> To reproduce, get the fake private key from 
>> https://github.com/hannob/tlshelpers/blob/master/examples/symantec.key 
>> 
>>  
>> Verify the key with openssl 1.0.1e-fips or 1.0.2h:
>> $OPENSSL rsa -in symantec-broken.key -check -noout
>> RSA key error: n does not equal p q
>>  
>> Verify the key with openssl 1.1.0c or 1.1.0f (gives no output)
>> $OPENSSL rsa -in symantec-broken.key -check -noout
>>  
>>  
>> I would expect 1.1.0 to report the faked key in some way.
>> Even the returnvalue for openssl returns with a 0 no matter if used a 
>> legimate key or a faked key.
>>  
>>  
>>  
>> Kind Regards,
>> Georg
>> -- 
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users 
>> 
> 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl rsa -check

2017-07-28 Thread Paul Yang

Hmmm, it’s a bug introduced by the use of RSA_check_key_ex function. Thanks for 
reporting.

> On 28 Jul 2017, at 19:16, Georg Höllrigl  wrote:
> 
> Hello,
>  
> I think there is something broken with verifying the Private Key with 
> "openssl rsa -check" like it was described in 
> https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html
>  
> 
>  
> I tried to implement better checking in a script that tells me if a key 
> matches a certificate or certificate request.
>  
> To reproduce, get the fake private key from 
> https://github.com/hannob/tlshelpers/blob/master/examples/symantec.key 
> 
>  
> Verify the key with openssl 1.0.1e-fips or 1.0.2h:
> $OPENSSL rsa -in symantec-broken.key -check -noout
> RSA key error: n does not equal p q
>  
> Verify the key with openssl 1.1.0c or 1.1.0f (gives no output)
> $OPENSSL rsa -in symantec-broken.key -check -noout
>  
>  
> I would expect 1.1.0 to report the faked key in some way.
> Even the returnvalue for openssl returns with a 0 no matter if used a 
> legimate key or a faked key.
>  
>  
>  
> Kind Regards,
> Georg
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl rsa -check

Re: [openssl-users] openssl rsa -check

Re: [openssl-users] openssl rsa -check

3 matches

Site Navigation

Mail list logo

Footer information