There's no need to prepare a stable update, since this only affects version 0.11.7, which isn't in stable.
* Michael S. Gilbert (michael.s.gilb...@gmail.com) wrote:
> Package: opensc
> Severity: grave
> Tags: security
> Tags: patch
>
> Hi,
>
> There is a vulnerability in opensc. Details are:
>
> | The security problem in short: you need a combination of
> | 1.) a tool that startes a key generation with public exponent set to 1
> | (an invalid value that causes an insecure rsa key)
> | 2.) a PKCS#11 module that accepts that this public exponent and forwards
> | it to the card
> | 3.) a card that accepts the public exponent and generates the rsa key.
> |
> | OpenSC is insecure because due to a code bug in pkcs11-tool it had
> | the wrong public exponent. But OpenSC PKCS#11 module is secure, it
> | ignores the public exponent. So only if you generate your keys with
> | pkcs11-tool from OpenSC 0.11.7 (which very few people do), and only if
> | you used it with sone other vendors PKCS#11 module, and only if the
> | card accepted the bogus value too, then your rsa key is unsecure.
> |
> | you can easily verify keys by looking at the rsa public key or a
> | certificate or certificate request, for example the openssl command
> | line tools can print the content in plain text. public Exponent = 1
> | is bad (3 and higher are accepted values, 65537 or higher is suggested
> | by the NIST).
> |
> | Here is the full security advisory. No CVE included, as I was not able
> | to get one from distributions, vendor-sec or mitre.
> |
> | OpenSC Security Advisory [07-May-2009]
> | ======================================
> |
> | pkcs11-tool generates RSA keys with publicExponent 1 instead of 65537
> |
> | OpenSC includes a tool for testing its PKCS#11 module called
> | pkcs11-tool. This command line tool includes the ability to ask the
> | PKCS#11 module to generate an RSA key pair. The tool used to default to a
> key size
> | of 768 bits and a public exponent of 3. These values are considered
> | small but ok. In december 2008 a change (SVN commit 3602) changed
> | these values to more secure default values of 1024 bit key size
> | and a public exponent of 65537. A bug in that code however caused
> | the default public exponent to be 1. That value is invalid and
> | insecure, a message encrypted with it will be unencrypted.
> |
> | If pkcs11-tool is used with the PKCS#11 module included in OpenSC,
> | there is no security issue, as OpenSC PKCS#11 module ignores any
> | public exponent passed to it. Only when pkcs11-tool is used with
> | other third party PKCS#11 Modules the problem comes up.
> |
> | Thanks to Miquel Comas MartÃ, who found and fixed this bug and
> | contacted us on May 7th, 2009.
> |
> | This bug only affects users of OpenSC SVN trunk or OpenSC release
> | 0.11.7. Older releases do not contain this problem, and the new
> | OpenSC release 0.11.8 fixes this problem. Only users of the command
> | line tool "pkcs11-tool" are affected by this problem, and only the
> | generate rsa key pair function is affected ("--keypairgen" or "-k").
> | There is no option to configure the public exponent using the
> | command line tool, so all such uses are affected.
> |
> | The command line tool "pkcs11-tool" can be used with the OpenSC
> | PKCS#11 Module "opensc-pkcs11.so" or "opensc-pkcs11.dll" or with any
> | other PKCS#11 module. Only when used with other PKCS#11 module the
> | problem arrises, as the OpenSC PKCS#11 Module ignores the public
> | exponent passed to it.
> |
> | If you use a third party PKCS#11 Module with pkcs11-tool you
> | can use openssl with engine_pkcs11 to create a certificate
> | signing request and then use openssl to analyze that csr,
> | for example
> | openssl req -in req.pem -noout -text
> | ...
> | Exponent: 1 (0x1)
> | ...
> |
> | Would show the problem.
>
> Please coordinate with the security team (t...@security.debian.org)
> to prepare updates for the stable releases.
>
> A patch that fixes the problem follows:
> --- src/tools/pkcs11-tool.c (Revision 3687)
> +++ src/tools/pkcs11-tool.c (Revision 3688)
> @@ -1035,7 +1035,7 @@
> {
> CK_MECHANISM mechanism = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR,
> 0}; CK_ULONG modulusBits = 1024;
> - CK_BYTE publicExponent[] = { 65537 };
> + CK_BYTE publicExponent[] = { 0x01, 0x00, 0x01 }; /* 65537 in
> bytes */ CK_BBOOL _true = TRUE;
> CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;
> CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY;
>
>
--
Eric Dorland <e...@kuroneko.ca>
ICQ: #61138586, Jabber: ho...@jabber.com
signature.asc
Description: Digital signature
