CAcert Code Development list.

[Wytze van der Raay <wytze AT cacert.org>]

Hi there,

Would any of you be so kind to write a lengthy blog entry to inform
all CAcert users of the consequences of the changes in the CAcert
application code as a result of implementing a fix for:
   https://bugs.cacert.org/view.php?id=1255
?
Please check the message forwarded below for the relevant details.

Thanks!
-- wytze

--- Begin Message ---

• From: Wytze van der Raay <wytze AT cacert.org>
• To: Benny Baumann <benbe AT cacert.org>, "critical-admin AT cacert.org" <critical-admin AT cacert.org>
• Cc: Michael Tänzer <michael.taenzer AT cacert.org>, Eva Stöwe <estoewe AT cacert.org>, Marcus Mängel <inopiae AT cacert.org>, Martin Gummi <martin.gummi AT cacert.org>
• Subject: Re: Patch Request Bug #1255
• Date: Mon, 10 Mar 2014 18:08:10 +0100
• Organization: CAcert

Hi Benny,

Benny Baumann schreef op 9-3-2014 23:02:
> the SoftWare Assessment Team has a patch for bug #1255 due to which all
> checks on the strength of the key material were omitted if the key was
> not an RSA key[1].
>
> While some people argued that people who used DSA usually "knew what
> they were doing" this still has to be considered a violation of our
> policy and CPS as well as the baseline requirements set by the
> CA/Browser forum.
>
> Therefore find attached a patch for this issue which if applied rejects
> to sign any key material we couldn't validate (e.g. unknown key format)
> or which we know to be weak (e.g. Debian Weak Keys, short keys).
>
> In addition, although the patch implements DSA key validation this part
> of the patch is NOT activated due to a bug with OpenSSL which causes
> certificate signing requests for DSA certificates with keys 2048 bit or
> more to keep pending (internally they fail to verify the CSR). Thus
> since everything below 2048 bit is disallowed and everything with 2048
> bits and more fails to sign there will be NO DSA certificates until
> further notice.

The patch has been installed on the production server on March 10, 2014.
See also the attached log message.

> Wenn applying this patch, please install and activate, as prepared by
> request of my previous mails, the php-gmp extension for PHP. These
> functions are currently only used in the DSA part of the patch, but
> should be present in case the OpenSSL issue regarding DSA gets fixed and
> this section gets activated.

The php5-gmp package has been installed and activated on the production
server on March 10, 2014. See also the attached log message.

> Please rebuild the translations to incorperate the new strings for our
> translaters to work on - well, there are some additional error messages
> you can get when signing a certificate now ;-)

I've uploaded and downloaded the translations as usual.

> Once the patch is live forward this message to cacert-devel and ask PR
> kindly __to write a lengthy blog entry__ informing people of these changes.

Will do so in a minute :-)

Regards,
-- wytze

--- Begin Message ---

• From: Wytze van der Raay <wytze AT cacert.org>
• To: cacert-systemlog AT lists.cacert.org
• Subject: Fwd: cvs.cacert.org checkin notification
• Date: Mon, 10 Mar 2014 17:57:51 +0100
• Organization: CAcert

Fix for https://bugs.cacert.org/view.php?id=1255
"DSA certificate issuing ignores key strength"

In conjunction with the attached CVS changes a new tarball has been
made available incorporating all updates. The new tarball is available
through http://www.cacert.org/src-lic.php

-- end

--- Begin Message ---

• From: "root" <root AT cvs.cacert.org>
• To: critical-admin AT cacert.org
• Subject: cvs.cacert.org checkin notification
• Date: Mon, 10 Mar 2014 17:32:08 +0100 (CET)

uid=0(root) gid=0(root) groups=0(root)
check_weak_key.php 1.2 1.3
Mon Mar 10 17:32:08 CET 2014
Update of /var/lib/cvs/cacert/includes/lib
In directory webdb:/home/cacert/www/includes/lib

Modified Files:
check_weak_key.php
Log Message:
Fix for https://bugs.cacert.org/view.php?id=1255
"DSA certificate issuing ignores key strength"

===================================================================
RCS file: /var/lib/cvs/cacert/includes/lib/check_weak_key.php,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- check_weak_key.php 2013/10/16 10:44:26 1.2
+++ check_weak_key.php 2014/03/10 16:32:07 1.3
@@ -128,15 +128,14 @@

if ($algorithm === "rsaEncryption")
{
- if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m',
$text,
- $keysize))
+ if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m',
$text, $keysize))
{
return failWithId("checkWeakKeyText(): Couldn't parse
the RSA ".
"key size.\nData:\n$text");
} else {
$keysize = intval($keysize[1]);
}
-
+
if ($keysize < 2048)
{
return sprintf(_("The keys that you use are very
small ".
@@ -146,8 +145,7 @@
"<a
href='//wiki.cacert.org/WeakKeys#SmallKey'>",
"</a>");
}
-
-
+
$debianVuln = checkDebianVulnerability($text, $keysize);
if ($debianVuln === true)
{
@@ -165,7 +163,7 @@

"checkDebianVulnerability().\nKeysize: $keysize\n".
"Data:\n$text");
}
-
+
if (!preg_match('/^\s*Exponent: (\d+) \(0x[0-9a-fA-F]+\)$/m',
$text,
$exponent))
{
@@ -187,9 +185,9 @@
"<a
href='//wiki.cacert.org/WeakKeys#SmallExponent'>",
"</a>");
} elseif (!(bccomp($exponent, "65537") >= 0 &&
- (bccomp($exponent, "100000") === -1 ||
- // speed things up if way smaller than 2^256
- bccomp($exponent, bcpow("2", "256")) === -1) )) {
+ (bccomp($exponent, "100000") === -1 ||
+ // speed things up if way smaller
than 2^256
+ bccomp($exponent, bcpow("2", "256"))
=== -1) )) {
// 65537 <= exponent < 2^256 recommended by
NIST
// not critical but log so we have some
statistics about
// affected users
@@ -198,10 +196,83 @@
E_USER_NOTICE);
}
}
- }

- /* No weakness found */
- return "";
+ // No weakness found
+ return "";
+ } // End RSA
+
+/*
+//Fails to work due to outdated OpenSSL 0.9.8o
+//For this to work OpenSSL 1.0.1f or newer is required
+//which is currently unavailable on the systems
+//If DSA2048 or longer is used the CSR hangs pending on the signer.
+ if ($algorithm === "dsaEncryption")
+ {
+ if (!preg_match('/^\s*Public Key
Algorithm:\s+dsaEncryption\s+pub:\s+([0-9a-fA-F:\s]+)\s+P:\s+([0-9a-fA-F:\s]+)\s+Q:\s+([0-9a-fA-F:\s]+)\s+G:\s+([0-9a-fA-F:\s]+)\s+$/sm',
$text, $keydetail))
+ {
+ return failWithId("checkWeakKeyText(): Couldn't parse
the DSA ".
+ "key size.\nData:\n$text");
+ }
+
+ $key_pub = strtr(preg_replace("/[^0-9a-fA-F]/", "",
$keydetail[1]), "ABCDEF", "abcdef");
+ $key_P = strtr(preg_replace("/[^0-9a-fA-F]/", "",
$keydetail[2]), "ABCDEF", "abcdef");
+ $key_Q = strtr(preg_replace("/[^0-9a-fA-F]/", "",
$keydetail[3]), "ABCDEF", "abcdef");
+ $key_G = strtr(preg_replace("/[^0-9a-fA-F]/", "",
$keydetail[4]), "ABCDEF", "abcdef");
+
+ //Verify the numbers provided by the client
+ $num_pub = @gmp_init($key_pub, 16);
+ $num_P = @gmp_init($key_P, 16);
+ $num_Q = @gmp_init($key_Q, 16);
+ $num_G = @gmp_init($key_G, 16);
+
+ $bit_P = ltrim(gmp_strval($num_P, 2), "0");
+ $keysize = strlen($bit_P);
+
+ if ($keysize < 2048) {
+ return sprintf(_("The keys that you use are very
small ".
+ "and therefore insecure.
Please generate stronger ".
+ "keys. More information about
this issue can be ".
+ "found in %sthe wiki%s"),
+ "<a
href='//wiki.cacert.org/WeakKeys#SmallKey'>",
+ "</a>");
+ }
+
+ //Following checks based on description of key generation in
Wikipedia
+ //These checks do not ensure a strong key, but at least check
for enough sanity in the key material
+ // cf.
https://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Key_generation
+
+ //Check that P is prime
+ if(!gmp_testprime($num_P)) {
+ return failWithId("checkWeakKeyText(): The supplied
DSA ".
+ "key does seem to have a non-prime
public modulus.\nData:\n$text");
+ }
+
+ //Check that Q is prime
+ if(!gmp_testprime($num_Q)) {
+ return failWithId("checkWeakKeyText(): The supplied
DSA ".
+ "key does seem to have a non-prime
Q-value.\nData:\n$text");
+ }
+
+ //Check if P-1 is diviseable by Q
+ if(0 !== gmp_cmp("1", gmp_mod($num_P, $num_Q))) {
+ return failWithId("checkWeakKeyText(): The supplied
DSA ".
+ "key does seem to have P mod Q === 1
(i.e. P-1 is not diviseable by Q).\nData:\n$text");
+ }
+
+ //Check the numbers are all less than the public modulus P
+ if(0 <= gmp_cmp($num_Q, $num_P) || 0 <= gmp_cmp($num_G,
$num_P) || 0 <= gmp_cmp($num_pub, $num_P)) {
+ return failWithId("checkWeakKeyText(): The supplied
DSA ".
+ "key does seem to be normalized to
have Q < P, G < P and pub < P.\nData:\n$text");
+ }
+
+ // No weakness found
+ return "";
+ } // End DSA
+*/
+
+
+ return _("The keys you supplied use an unrecognized algorithm. ".
+ "For security reasons these keys can not be signed by
CAcert.");
}

/**

--- End Message ---

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening

--- End Message ---

--- Begin Message ---

• From: Wytze van der Raay <wytze AT cacert.org>
• To: cacert-systemlog AT lists.cacert.org
• Subject: configuration change webdb server
• Date: Mon, 10 Mar 2014 17:56:28 +0100
• Organization: CAcert

The Debian package php5-gmp has been installed on the webdb server,
and the crucial parts have been propagated to the CAcert application
environment under chroot /home/cacert. This package is needed to
support the application code fix for
https://bugs.cacert.org/view.php?id=1255

Affected files:
files installed by "apt-get install php5-gmp"
/root/chroot/pkg-conform (also in SVN)
/home/cacert/etc/php/conf.d/gmp.ini
/home/cacert/usr/lib/php5/20090626/gmp.so

These changes have also been applied to the cacert[12] test servers.

-- end

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening

--- End Message ---

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening

--- End Message ---

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening