Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 8 May 2009 08:42:17 +0200
From: Andreas Jellinghaus <aj@...geon.inka.de>
To: oss-security@...ts.openwall.com
Subject: OpenSC 0.11.8 released with security update

OpenSC 0.11.8 was released yesterday with a security update.

The security problem in short: you need a combination of
1.) a tool that startes a key generation with public exponent set to 1
    (an invalid value that causes an insecure rsa key)
2.) a PKCS#11 module that accepts that this public exponent and forwards
    it to the card
3.) a card that accepts the public exponent and generates the rsa key.

OpenSC is insecure because due to a code bug in pkcs11-tool it had
the wrong public exponent. But OpenSC PKCS#11 module is secure, it
ignores the public exponent. So only if you generate your keys with
pkcs11-tool from OpenSC 0.11.7 (which very few people do), and only if
you used it with sone other vendors PKCS#11 module, and only if the
card accepted the bogus value too, then your rsa key is unsecure.

you can easily verify keys by looking at the rsa public key or a
certificate or certificate request, for example the openssl command
line tools can print the content in plain text. public Exponent = 1
is bad (3 and higher are accepted values, 65537 or higher is suggested
by the NIST). 

Here is the full security advisory. No CVE included, as I was not able
to get one from distributions, vendor-sec or mitre.

OpenSC Security Advisory [07-May-2009]
======================================

pkcs11-tool generates RSA keys with publicExponent 1 instead of 65537

OpenSC includes a tool for testing its PKCS#11 module called pkcs11-tool.
This command line tool includes the ability to ask the PKCS#11 module
to generate an RSA key pair. The tool used to default to a key size
of 768 bits and a public exponent of 3. These values are considered
small but ok. In december 2008 a change (SVN commit 3602) changed
these values to more secure default values of 1024 bit key size
and a public exponent of 65537. A bug in that code however caused
the default public exponent to be 1. That value is invalid and
insecure, a message encrypted with it will be unencrypted.

If pkcs11-tool is used with the PKCS#11 module included in OpenSC,
there is no security issue, as OpenSC PKCS#11 module ignores any
public exponent passed to it. Only when pkcs11-tool is used with
other third party PKCS#11 Modules the problem comes up.

Thanks to Miquel Comas Martí, who found and fixed this bug and
contacted us on May 7th, 2009.

This bug only affects users of OpenSC SVN trunk or OpenSC release
0.11.7. Older releases do not contain this problem, and the new
OpenSC release 0.11.8 fixes this problem. Only users of the command
line tool "pkcs11-tool" are affected by this problem, and only the
generate rsa key pair function is affected ("--keypairgen" or "-k").
There is no option to configure the public exponent using the
command line tool, so all such uses are affected.

The command line tool "pkcs11-tool" can be used with the OpenSC
PKCS#11 Module "opensc-pkcs11.so" or "opensc-pkcs11.dll" or with any
other PKCS#11 module. Only when used with other PKCS#11 module the
problem arrises, as the OpenSC PKCS#11 Module ignores the public
exponent passed to it.

If you use a third party PKCS#11 Module with pkcs11-tool you
can use openssl with engine_pkcs11 to create a certificate
signing request and then use openssl to analyze that csr,
for example
  openssl req -in req.pem -noout -text
  ...
                Exponent: 1 (0x1)
  ...
  
Would show the problem.

The problem is fixed with the new OpenSC release 0.11.8
available on http://www.opensc-project.org/ or here:
http://www.opensc-project.org/files/opensc/opensc-0.11.8.tar.gz

md5sum opensc-0.11.8.tar.gz 
a269b478b18dddb648b9bd930206b5a8  opensc-0.11.8.tar.gz

sha1sum opensc-0.11.8.tar.gz 
4a320b0cc3bc3de5843ab6af677093d98d4cf318  opensc-0.11.8.tar.gz

sha256sum opensc-0.11.8.tar.gz 
3713eff46d231e0b37c1fdba3d3d640716fe0edd875df57578643f0d9f221361

If you prefer to patch your source code, please apply this patch:
--- src/tools/pkcs11-tool.c	(Revision 3687)
+++ src/tools/pkcs11-tool.c	(Revision 3688)
@@ -1035,7 +1035,7 @@
 {
 	CK_MECHANISM mechanism = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0};
 	CK_ULONG modulusBits = 1024;
-	CK_BYTE publicExponent[] = { 65537 };
+	CK_BYTE publicExponent[] = { 0x01, 0x00, 0x01 }; /* 65537 in bytes */
 	CK_BBOOL _true = TRUE;
 	CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;
 	CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY;

Contact and Feedback
====================

If you have questions or feedback, please do not hesitate to contact us on our 
mailing lists "opensc-devel" or "opensc-user". You need to subscribe to these 
lists before posting, as we are getting a lot of spam each day and do not have 
the resource to sort out valid email.

Also our wiki and bug trackers are only working for old users. New users can't
register at the moment, both wiki and the bug tracker was spammed too much.
Please send an email to the mailing list and we can manually create a user for 
you.

Regards, Andreas Jellinghaus
aj at opensc-project.org

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.