[openssl-dev] Possible deficiency verifying with indirect crl
Dear openssl developers,
using the older version 1.0.2d we recently stumbled upon a possible
deficiency in verifying a cert using an indirect crl.
We went through the scoring code and found the CRL_SCORE_AKID flag unset
although the crl issuers cert contained a skid.
Snippet
In the source x509_vfy.c, at the end of function crl_akid_check the
possible crl_issuer is being looked up from the untrusted certs stack.
But the untrusted certs aren't guaranteed to have the extensions cached.
So in our case the crl_issuer->skid was empty causing the function
X509_check_akid to return X509_V_ERR_AKID_SKID_MISMATCH.
Inserting a X509_check_purpose(crl_issuer, -1, 0); just before the call
fixed this issue.
We compared the source against the latest version 1.0.2g and found no
changes regarding this behavior.
Please consider applying following patch
+++ openssl-1.0.2d/crypto/x509/x509_vfy.c2015-07-09 13:57 +0200
@@ -1234,6 +1234,7 @@ (excluded from the next commit)
crl_issuer = sk_X509_value(ctx->untrusted, i);
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
continue;
+X509_check_purpose(crl_issuer, -1, 0);
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
*pissuer = crl_issuer;
*pcrl_score |= CRL_SCORE_AKID;
BTW: We didn't check if the certs taken from the chain happen to have
extension values cached (about 30 lines up).
Thanks in advance
--
Christian Weber
Snippet
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] certificate signing using rsa pss algorithm?
Thanks for your reply. Am 12.11.2015 um 18:45 schrieb stefan.n...@t-online.de: Hi, You might want to upgrade to OpenSSL-1.0.2 which seems to support the RSA PSS algorithm, see https://openssl.org/news/changelog.html#x5. Regards, Stefan ... we are up to the most current version, i.e. Snippet OpenSSL 1.0.2d 9 Jul 2015. Trying the commandline tool openssl req -new -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -out rca.pubcert.pem -keyout rca.privkey.pem -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-2 -passin pass: ... leads to ... Loading 'screen' into random state - done parameter error "rsa_padding_mode:pss" 10584:error:0408F090:rsa routines:PKEY_RSA_CTRL:illegal or unsupported padding mode:.\crypto\rsa\rsa_pmeth.c:517: 10584:error:06089093:digital envelope routines:EVP_PKEY_CTX_ctrl:command not supported:.\crypto\evp\pmeth_lib.c:405: ... Since we found explicit exclusion of PSS padding for cert signing in .\crypto\rsa\rsa_pmeth.c:501, we guess PSS signing of certificates is currently not officially supported. So we've just asked for the reason why, since we're looking for certificates which may satisfy security needs for decades. Regards -- Christian Weber ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[PATCH] Two typos in the 'enc' man page
Not much else to say about this. :) diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod index 41791ad..8f4ef99 100644 --- a/doc/apps/enc.pod +++ b/doc/apps/enc.pod @@ -170,7 +170,7 @@ configuration file is read and any ENGINEs loaded. Engines which provide entirely new encryption algorithms (such as ccgost engine which provides gost89 algorithm) should be configured in the configuration file. Engines, specified in the command line using -engine -options can only be used for hadrware-assisted implementations of +options can only be used for hardware-assisted implementations of ciphers, which are supported by OpenSSL core or other engine, specified in the configuration file. @@ -212,7 +212,7 @@ Note that some of these ciphers can be disabled at compile time and some are available only if an appropriate engine is configured in the configuration file. The output of the Benc command run with unsupported options (for example Bopenssl enc -help) includes a -list of ciphers, supported by your versesion of OpenSSL, including +list of ciphers, supported by your version of OpenSSL, including ones provided by configured engines. The Benc program does not support authenticated encryption modes __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3358] openssl should create private keys with stricter permissions
Hi, Currently, openssl creates private RSA keys with the default permissions: leon@lagrange /tmp % openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 leon@lagrange /tmp % openssl genrsa -out foobar.key Generating RSA private key, 1024 bit long modulus ...++ ...++ e is 65537 (0x10001) leon@lagrange /tmp % ls -l foobar.key -rw-rw-r--. 1 leon leon 883 May 16 02:28 foobar.key As in the example above, this may be world-readable. It would be preferable to create private keys with stricter permissions. This can be achieved e. g. by calling the POSIX function open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR). -- Leon. signature.asc Description: PGP signature
ECDSA w. Brainpool
Dear OpenSSL developers, in the development trunk of openssl 1.0.2 we can find brainpool curves implemented. Do you expect major changes until 1.0.2 is ready to be released or is it almost ready for production? Thanks in advance -- Christian Weber mailto:we...@infotech.de __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Document Signature w. RSASSA-PSS
Dear OpenSSl developers, somewhere we've read about document signature with RSASSA-PSS has been implemented, maybe in the 1.0.2 trunk. Currently, in 1.0.1 signatures can be created and verified using PSS padding, if the checks are carried out manually. I.e. RSA_public_decrypt(... , RSA_NO_PADDING); ... RSA_verify_PKCS1_PSS_mgf1(...); reveals the correct result, but the algorithm oid is wrong if we use PKCS7_sign() and the PSS-parameters are missing. Looking into the code, this is very clear. Are PSS-signatures supported more completely in the dev trunk so it's worth to try, or shold we wait or contribute? Thanks in Advance -- Christian Weber mailto:we...@infotech.de __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2222] RFC5081 support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I would really like OpenSSL to add support for RFC5081. - -- Stephen Paul Weber, @singpolyma Please see http://singpolyma.net for how I prefer to be contacted. edition right joseph -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBCAAGBQJLum8TAAoJENEcKRHOUZze3NsQAK5cSoomeS4ZriQt6wk2vVzm XyXnLxx/dAhVhz8u6NDUFDD0ILbLXZQbmeXxX72ZHF0hcQRjbKg/2sd17Q/Agh85 aI71lZHDgAvr/u7ywYqyqugWc4JGnNg012aglrW1m7gkTVcLSyOEU7iBNslxUHQn 4/PsHhvnWOE6ZZcOIa0lTHCD1fOlh7q044ijNr82alfPeFZzttjAJySbYuTA5E+f 3uAi1jNCzP4Iy5C2MrWvZCn4Std1/bi/1xFyAwnwDYG7ul7Q4Us+vZ1ttHD7aN/V 1y3Qsog10/ay90VF7zay8QSD4/4L2oOOy3gYWxo450u95/xdrr4D29ca5elqdqrD py11IGABdGdISVpc40k831t42EZah63o5S2fZW061fnyKpyD8sxEySeDybkYweQm m6YufYMtx48yWx5yfhGnGvjVoQbzTPSbz589et/8QRWK96L2h6oAJSBb1A0qCGUU PkvAEbVWx10IEyCnlLIT3qzPZfFSqHYuCgu8qLdq6TboIGmr4CmJoPKcKxSj4liZ 5Y3Yi2WfvvlqM17UsGEfuXJXkwgYd6D6SF7BcNgoMojSFW2FUsLVJhR9rpRqDFCS sDD+VI5ZbVT8jZQ03idPGvkvre9VqpPK/4EjgXXFYTChVezpCHeFjfc11Axy/5aw 9mpyhVXEhyh1VWExm7tg =os4L -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2012] opensslconf.h #ifndef DES_RISC1
Regarding `openssl-0.9.8k.tar.gz' at http://www.openssl.org/source/ A snippet of opensslconf.h reads: /* This helps C compiler generate the correct code for multiple functional * units. It reduces register dependancies at the expense of 2 more * registers */ #ifndef DES_RISC1 #undef DES_RISC1 #endif #ifndef DES_RISC2 #undef DES_RISC2 #endif #if defined(DES_RISC1) defined(DES_RISC2) YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED! #endif The first 2 parts seem to say `if it's not defined, then undefine it'. Is something like the following intended?: #ifdef DES_RISC1 #undef DES_RISC2 #endif Sorry if I've misunderstood the purpose of these lines. Thanks for your work on this software. Tony Regarding `openssl-0.9.8k.tar.gz at http://www.openssl.org/source/A snippet of opensslconf.h reads:/* This helps C compiler generate the correct code for multiple functional * units. It reduces register dependancies at the expense of 2 more * registers */ #ifndef DES_RISC1#undef DES_RISC1 #endif#ifndef DES_RISC2 #undef DES_RISC2#endif #if defined(DES_RISC1) defined(DES_RISC2)YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED! #endifThe first 2 parts seem to say `if its not defined, then undefine it. Is something like the following intended?:#ifdef DES_RISC1 #undef DES_RISC2 #endif Sorry if Ive misunderstood the purpose of these lines. Thanks for your work on this software.Tony
Bug in ocsp_verify?
Hello, I think we found a minor Bug in OCSP Verification that is still present in openssl-1.0.0-beta2. In sourcefile ocsp_vfy.c, line 147: if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) X509_check_trust is feeded with an NID, which is out of range in subsequently called function X509_TRUST_get_by_id. Maybe it should read: if(X509_check_trust(x, X509_TRUST_OCSP_SIGN, 0) != X509_TRUST_TRUSTED) Currently we have to set OCSP_NOCHECKS when doing OCSP_basic_verify, because ocsp_check_issuer still returns zero. Any hint? TIA Christian __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
FIPS validation docs
Dear OpenSSL developers, currently, there are two FIPS certificates (# and #1051) which state software version 1.2 (built upon OpenSSL 0.9.8) to comply with FIPS 140-2. Both, the library (under certain environments) and the program (CLI frontend), have been validated (not certified). I'm unsure what that validation really means. Does it mean that following the policies leads to a software module that passes the predefined tests, or is there some more evidence that library and runtime do work correctly. Is there any documentation beyond the contents of the current projects website at http://www.openssl.org/ that shows the correctness of the implementation of the provided cryptographic functions? I guess that before and during validation process much more documentation must have been produced. Could you please point me there? TIA -- Christian __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Patch for ca.c to check index.txt for expired certs
On Mon, May 10, 1999 at 01:39:43PM +0200, Massimiliano Pala wrote: Hi Massimiliano ! Lars Weber wrote: I had to move the whole if(updatedb) ... to upper level actually avoiding the password request ( thus removing your if(updatedb = 0 ) on the certificate loading stage). I actually get errors when lounching the -updatedb because a newly issued certificate with the following entry in db gets the 'Expired' flag set (while it shouldn't). Here it is: V 000509111506Z 01 unknown /C=IT/O=OpenCA/OU=Developer/CN=Massimiliano [EMAIL PROTECTED] Do you have some ideas ? Anyway I post the ca.diff patch (use patch -p1 ca.c ca.diff) so we ca work toghether to the problem. jfi: I have seen you already got it. I have missed an "!" in an wrapping if-clause: + if ( strncmp( rrow[DB_exp_date], "49", 2 ) = 0 ) + db_y2k = 1; + else + db_y2k = 0; + if ( db_y2k a_y2k )/* db a = cert is valid */ Last line should be + if ( ! (db_y2k a_y2k) )/* db a = cert is valid */ Sorry for the irritation and thanks for support ! Ciao, Lars [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
