Indeed it would be a good idea, especially for
RSA_generate_key, since people have to generate their
key thru an interface that is extern to OpenSSL, then
sign their CSR with that key using OpenSSL, when
everything could be implemented within OpenSSL.
The major benefit would come for, a PKI
For now, I've added a note in the documentation of RSA_check_key()
that explains that it doesn't work properly for hard keys and why.
We will ponder a little more on this issue.
[[EMAIL PROTECTED] - Wed Jun 19 09:52:27 2002]:
It wouldn't take much to make this function
compatible, or the
Just attaching a little more state to this ticket ...
[[EMAIL PROTECTED] - Wed Jun 19 09:52:27 2002]:
The problem is that the use oF engines should be
totaly transparent to the higher API, but apparently
it's not.
I don't call RSA_check_key for a hardware key, I call
it for my CA private
OK, I'm going to close this ticket down now as we have at least solved
the bug, albeit that it was a bit of a short-cut ... we documented the
existing behaviour rather than changing it :-)
If anyone feels strongly that this is not resolved until
RSA_check_key() is modified to use a new
Indeed it would be a good idea, especially for
RSA_generate_key, since people have to generate their
key thru an interface that is extern to OpenSSL, then
sign their CSR with that key using OpenSSL, when
everything could be implemented within OpenSSL.
The major benefit would come for, a PKI
Calling all algebraic coders ...
[snip]
I would suggest the following for checking RSA public keys:
1) that the public exponent e satisfies 3 = e n and that
e is odd (PKCS#1) [this doesn't prevent low exponent
attacks however]
2) that the modulus n is not a probable prime
Hi there,
On Wed, 19 Jun 2002, Giudicelli Frédéric via RT wrote:
The problem is that the use oF engines should be
totaly transparent to the higher API, but apparently
it's not.
The problem is RSA_check_key() is not a general transparent RSA
function, it's designed (it would seem) to check
Date sent: Thu, 20 Jun 2002 15:02:36 -0400 (EDT)
From: Geoff Thorpe [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject:Re: [openssl.org #86] Bug in RSA_check_key
Send reply to: [EMAIL PROTECTED]
Just my two cents
From: Geoff Thorpe [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [openssl.org #86] Bug in RSA_check_key Date: Thu, 20 Jun 2002
15:02:36 -0400 (EDT)
.
*Maybe* ... but even then it doesn't solve the case of public keys.
Moreover, how do you
Hi,
On Thu, 20 Jun 2002, a y wrote:
*Maybe* ... but even then it doesn't solve the case of public keys.
Moreover, how do you actually test a public key? What does check
actually mean in this case?
.
Cheers,
Geoff
I would suggest the following for checking RSA public keys:
/06/02 -0500, you wrote:
Date sent: Thu, 20 Jun 2002 15:02:36 -0400 (EDT)
From: Geoff Thorpe [EMAIL PROTECTED]
To:[EMAIL PROTECTED]
Subject: Re: [openssl.org #86] Bug in RSA_check_key
Send reply to: [EMAIL PROTECTED]
Just my two
The problem is that the use oF engines should be
totaly transparent to the higher API, but apparently
it's not.
I don't call RSA_check_key for a hardware key, I call
it for my CA private key, and I don't know if it's a
hardware or software key since it's transparent.
I'm supposed to be able to
Hi there,
I've taken ownership of this ticket (#86) for now, but I don't think
it'll last long.
IMHO, this bug is not a bug. If you look at the implementation of
RSA_check_key() you'll realise that this function is designed to test an
RSA key structure - not just the essential key elements
This sounds like the same old problem with passing an RSA public key to this
function and getting a segv, which seems to bite new users quite often. Can
this function be fixed to do a sanity check on the key before proceeding? I
assume it's the same with a hardware key. If a user ends up with
[[EMAIL PROTECTED] - Fri Jun 7 09:14:53 2002]:
If the key is loaded via an ENGINE, openssl crashes
because of a segfault (function BN_num_bits
crypto/bn/bn_lib.c:252).
Explanation: When loading a key from an engine the p q
and d members of the RSA struct are never set.
However
openssl-0.9.7-beta1
___
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.com
__
OpenSSL Project
If the key is loaded via an ENGINE, openssl crashes
because of a segfault (function BN_num_bits
crypto/bn/bn_lib.c:252).
Explanation: When loading a key from an engine the p q
and d members of the RSA struct are never set.
However RSA_check_key never checked to make sure those
members a
17 matches
Mail list logo
