There's no need to prepare a stable update, since this only affects version 0.11.7, which isn't in stable.
* Michael S. Gilbert (michael.s.gilb...@gmail.com) wrote: > Package: opensc > Severity: grave > Tags: security > Tags: patch > > Hi, > > There is a vulnerability in opensc. Details are: > > | The security problem in short: you need a combination of > | 1.) a tool that startes a key generation with public exponent set to 1 > | (an invalid value that causes an insecure rsa key) > | 2.) a PKCS#11 module that accepts that this public exponent and forwards > | it to the card > | 3.) a card that accepts the public exponent and generates the rsa key. > | > | OpenSC is insecure because due to a code bug in pkcs11-tool it had > | the wrong public exponent. But OpenSC PKCS#11 module is secure, it > | ignores the public exponent. So only if you generate your keys with > | pkcs11-tool from OpenSC 0.11.7 (which very few people do), and only if > | you used it with sone other vendors PKCS#11 module, and only if the > | card accepted the bogus value too, then your rsa key is unsecure. > | > | you can easily verify keys by looking at the rsa public key or a > | certificate or certificate request, for example the openssl command > | line tools can print the content in plain text. public Exponent = 1 > | is bad (3 and higher are accepted values, 65537 or higher is suggested > | by the NIST). > | > | Here is the full security advisory. No CVE included, as I was not able > | to get one from distributions, vendor-sec or mitre. > | > | OpenSC Security Advisory [07-May-2009] > | ====================================== > | > | pkcs11-tool generates RSA keys with publicExponent 1 instead of 65537 > | > | OpenSC includes a tool for testing its PKCS#11 module called > | pkcs11-tool. This command line tool includes the ability to ask the > | PKCS#11 module to generate an RSA key pair. The tool used to default to a > key size > | of 768 bits and a public exponent of 3. These values are considered > | small but ok. In december 2008 a change (SVN commit 3602) changed > | these values to more secure default values of 1024 bit key size > | and a public exponent of 65537. A bug in that code however caused > | the default public exponent to be 1. That value is invalid and > | insecure, a message encrypted with it will be unencrypted. > | > | If pkcs11-tool is used with the PKCS#11 module included in OpenSC, > | there is no security issue, as OpenSC PKCS#11 module ignores any > | public exponent passed to it. Only when pkcs11-tool is used with > | other third party PKCS#11 Modules the problem comes up. > | > | Thanks to Miquel Comas MartÃ, who found and fixed this bug and > | contacted us on May 7th, 2009. > | > | This bug only affects users of OpenSC SVN trunk or OpenSC release > | 0.11.7. Older releases do not contain this problem, and the new > | OpenSC release 0.11.8 fixes this problem. Only users of the command > | line tool "pkcs11-tool" are affected by this problem, and only the > | generate rsa key pair function is affected ("--keypairgen" or "-k"). > | There is no option to configure the public exponent using the > | command line tool, so all such uses are affected. > | > | The command line tool "pkcs11-tool" can be used with the OpenSC > | PKCS#11 Module "opensc-pkcs11.so" or "opensc-pkcs11.dll" or with any > | other PKCS#11 module. Only when used with other PKCS#11 module the > | problem arrises, as the OpenSC PKCS#11 Module ignores the public > | exponent passed to it. > | > | If you use a third party PKCS#11 Module with pkcs11-tool you > | can use openssl with engine_pkcs11 to create a certificate > | signing request and then use openssl to analyze that csr, > | for example > | openssl req -in req.pem -noout -text > | ... > | Exponent: 1 (0x1) > | ... > | > | Would show the problem. > > Please coordinate with the security team (t...@security.debian.org) > to prepare updates for the stable releases. > > A patch that fixes the problem follows: > --- src/tools/pkcs11-tool.c (Revision 3687) > +++ src/tools/pkcs11-tool.c (Revision 3688) > @@ -1035,7 +1035,7 @@ > { > CK_MECHANISM mechanism = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, > 0}; CK_ULONG modulusBits = 1024; > - CK_BYTE publicExponent[] = { 65537 }; > + CK_BYTE publicExponent[] = { 0x01, 0x00, 0x01 }; /* 65537 in > bytes */ CK_BBOOL _true = TRUE; > CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; > CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY; > > -- Eric Dorland <e...@kuroneko.ca> ICQ: #61138586, Jabber: ho...@jabber.com
signature.asc
Description: Digital signature