Package: opensc
Severity: grave
Tags: security
Tags: patch
Hi,
There is a vulnerability in opensc. Details are:
| The security problem in short: you need a combination of
| 1.) a tool that startes a key generation with public exponent set to 1
| (an invalid value that causes an insecure rsa key)
| 2.) a PKCS#11 module that accepts that this public exponent and forwards
| it to the card
| 3.) a card that accepts the public exponent and generates the rsa key.
|
| OpenSC is insecure because due to a code bug in pkcs11-tool it had
| the wrong public exponent. But OpenSC PKCS#11 module is secure, it
| ignores the public exponent. So only if you generate your keys with
| pkcs11-tool from OpenSC 0.11.7 (which very few people do), and only if
| you used it with sone other vendors PKCS#11 module, and only if the
| card accepted the bogus value too, then your rsa key is unsecure.
|
| you can easily verify keys by looking at the rsa public key or a
| certificate or certificate request, for example the openssl command
| line tools can print the content in plain text. public Exponent = 1
| is bad (3 and higher are accepted values, 65537 or higher is suggested
| by the NIST).
|
| Here is the full security advisory. No CVE included, as I was not able
| to get one from distributions, vendor-sec or mitre.
|
| OpenSC Security Advisory [07-May-2009]
| ======================================
|
| pkcs11-tool generates RSA keys with publicExponent 1 instead of 65537
|
| OpenSC includes a tool for testing its PKCS#11 module called
| pkcs11-tool. This command line tool includes the ability to ask the
| PKCS#11 module to generate an RSA key pair. The tool used to default to a key
size
| of 768 bits and a public exponent of 3. These values are considered
| small but ok. In december 2008 a change (SVN commit 3602) changed
| these values to more secure default values of 1024 bit key size
| and a public exponent of 65537. A bug in that code however caused
| the default public exponent to be 1. That value is invalid and
| insecure, a message encrypted with it will be unencrypted.
|
| If pkcs11-tool is used with the PKCS#11 module included in OpenSC,
| there is no security issue, as OpenSC PKCS#11 module ignores any
| public exponent passed to it. Only when pkcs11-tool is used with
| other third party PKCS#11 Modules the problem comes up.
|
| Thanks to Miquel Comas MartÃ, who found and fixed this bug and
| contacted us on May 7th, 2009.
|
| This bug only affects users of OpenSC SVN trunk or OpenSC release
| 0.11.7. Older releases do not contain this problem, and the new
| OpenSC release 0.11.8 fixes this problem. Only users of the command
| line tool "pkcs11-tool" are affected by this problem, and only the
| generate rsa key pair function is affected ("--keypairgen" or "-k").
| There is no option to configure the public exponent using the
| command line tool, so all such uses are affected.
|
| The command line tool "pkcs11-tool" can be used with the OpenSC
| PKCS#11 Module "opensc-pkcs11.so" or "opensc-pkcs11.dll" or with any
| other PKCS#11 module. Only when used with other PKCS#11 module the
| problem arrises, as the OpenSC PKCS#11 Module ignores the public
| exponent passed to it.
|
| If you use a third party PKCS#11 Module with pkcs11-tool you
| can use openssl with engine_pkcs11 to create a certificate
| signing request and then use openssl to analyze that csr,
| for example
| openssl req -in req.pem -noout -text
| ...
| Exponent: 1 (0x1)
| ...
|
| Would show the problem.
Please coordinate with the security team (t...@security.debian.org)
to prepare updates for the stable releases.
A patch that fixes the problem follows:
--- src/tools/pkcs11-tool.c (Revision 3687)
+++ src/tools/pkcs11-tool.c (Revision 3688)
@@ -1035,7 +1035,7 @@
{
CK_MECHANISM mechanism = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR,
0}; CK_ULONG modulusBits = 1024;
- CK_BYTE publicExponent[] = { 65537 };
+ CK_BYTE publicExponent[] = { 0x01, 0x00, 0x01 }; /* 65537 in
bytes */ CK_BBOOL _true = TRUE;
CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;
CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY;
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
