Bug#619746: gnutls-bin: [certtool] include useless data when creating a CSR

Luca Capello luca at pca.it
Sat Mar 26 17:57:26 UTC 2011 

Package: gnutls-bin
Version: 2.10.5-1
Severity: important

Hi there!

I was creating a Certificate Signing Request with certtool and then I
discovered that the output file contains more than the CSR, even worse
it contains the password asked during the creation.

I could not find any reason for that, nor the manpage contains any hint
about how to output the CSR alone.  However, I found #522281:

  <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522281#10>

On Thu, 11 Jun 2009 11:14:29 +0200, Simon Josefsson wrote:
> Matthew King <matthew.king at monnsta.net> writes:
>> If you attempt to use a pkcs8 private key with a template file, and that
>> template file does not specify the passphrase, certtool exits with an
>> error:
>>
>> certtool: importing --load-privkey: ca-key.pem: Decryption has failed.
>>
>> I am not sure which is worse - putting the passphrase in the template
>> file or asking questions in batch mode, but the patch to allow the
>> latter is simple:
[...]
> I believe an error message in this situation is reasonable: the reason
> for the template mode is to avoid interactive questions.  It would be
> wrong to ask questions for missing data in a template.
>
> Specifying a password in a template file is a security concern, but
> other files on Unix systems contains passwords and private keys so it is
> a well understood problem.  It is possible to protect these files using
> a restricted file mode.

Indeed, the output certtool now displays when creating a CSR seems to me
a template, albeit it includes the CSR at the end.

This is a big regression WRT to security and I do not share Simon's view
about putting password on files and protect them with restricted file
modes: by default, no password of any kind should be written on a file.

IMHO Severity: should be more than important, but neither the definition
of serious nor the one of grave seemed to fit what I just wrote above.

Thx, bye,
Gismo / Luca

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnutls-bin depends on:
ii  libc6                   2.11.2-13        Embedded GNU C Library: Shared lib
ii  libgcrypt11             1.4.6-5          LGPL Crypto library - runtime libr
ii  libgnutls26             2.10.5-1         the GNU TLS library - runtime libr
ii  libreadline6            6.1-3            GNU readline and history libraries
ii  libtasn1-3              2.9-2            Manage ASN.1 structures (runtime)
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

gnutls-bin recommends no packages.

gnutls-bin suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20110326/e7227dad/attachment.pgp>

More information about the Pkg-gnutls-maint mailing list