Bug#619746: gnutls-bin: [certtool] include useless data when creating a CSR
luca at pca.it
Sat Mar 26 17:57:26 UTC 2011
I was creating a Certificate Signing Request with certtool and then I
discovered that the output file contains more than the CSR, even worse
it contains the password asked during the creation.
I could not find any reason for that, nor the manpage contains any hint
about how to output the CSR alone. However, I found #522281:
On Thu, 11 Jun 2009 11:14:29 +0200, Simon Josefsson wrote:
> Matthew King <matthew.king at monnsta.net> writes:
>> If you attempt to use a pkcs8 private key with a template file, and that
>> template file does not specify the passphrase, certtool exits with an
>> certtool: importing --load-privkey: ca-key.pem: Decryption has failed.
>> I am not sure which is worse - putting the passphrase in the template
>> file or asking questions in batch mode, but the patch to allow the
>> latter is simple:
> I believe an error message in this situation is reasonable: the reason
> for the template mode is to avoid interactive questions. It would be
> wrong to ask questions for missing data in a template.
> Specifying a password in a template file is a security concern, but
> other files on Unix systems contains passwords and private keys so it is
> a well understood problem. It is possible to protect these files using
> a restricted file mode.
Indeed, the output certtool now displays when creating a CSR seems to me
a template, albeit it includes the CSR at the end.
This is a big regression WRT to security and I do not share Simon's view
about putting password on files and protect them with restricted file
modes: by default, no password of any kind should be written on a file.
IMHO Severity: should be more than important, but neither the definition
of serious nor the one of grave seemed to fit what I just wrote above.
Gismo / Luca
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages gnutls-bin depends on:
ii libc6 2.11.2-13 Embedded GNU C Library: Shared lib
ii libgcrypt11 1.4.6-5 LGPL Crypto library - runtime libr
ii libgnutls26 2.10.5-1 the GNU TLS library - runtime libr
ii libreadline6 6.1-3 GNU readline and history libraries
ii libtasn1-3 2.9-2 Manage ASN.1 structures (runtime)
ii zlib1g 1:220.127.116.11.dfsg-3 compression library - runtime
gnutls-bin recommends no packages.
gnutls-bin suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 835 bytes
Desc: not available
More information about the Pkg-gnutls-maint