bug-1292: prohibit keys with public exponent smaller than 65536
[cacert-devel.git] / includes / lib / check_weak_key.php
index d2aa33d..59c6cd6 100644 (file)
@@ -33,37 +33,18 @@ require_once 'general.php';
 */
 function checkWeakKeyCSR($csr, $encoding = "PEM")
 {
 */
 function checkWeakKeyCSR($csr, $encoding = "PEM")
 {
-       // non-PEM-encodings may be binary so don't use echo
-       $descriptorspec = array(
-       0 => array("pipe", "r"), // STDIN for child
-       1 => array("pipe", "w"), // STDOUT for child
-       );
        $encoding = escapeshellarg($encoding);
        $encoding = escapeshellarg($encoding);
-       $proc = proc_open("openssl req -inform $encoding -text -noout",
-       $descriptorspec, $pipes);
-
-       if (is_resource($proc))
-       {
-               fwrite($pipes[0], $csr);
-               fclose($pipes[0]);
-                       
-               $csrText = "";
-               while (!feof($pipes[1]))
-               {
-                       $csrText .= fread($pipes[1], 8192);
-               }
-               fclose($pipes[1]);
-                       
-               if (($status = proc_close($proc)) !== 0 || $csrText === "")
-               {
-                       return _("I didn't receive a valid Certificate Request, hit ".
-                               "the back button and try again.");
-               }
-       } else {
+       $status = runCommand("openssl req -inform $encoding -text -noout",
+                            $csr, $csrText);
+       if ($status === true) {
                return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
        }
                return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
        }
-
-
+       
+       if ($status !== 0 || $csrText === "") {
+               return _("I didn't receive a valid Certificate Request. Hit ".
+                       "the back button and try again.");
+       }
+       
        return checkWeakKeyText($csrText);
 }
 
        return checkWeakKeyText($csrText);
 }
 
@@ -80,37 +61,18 @@ function checkWeakKeyCSR($csr, $encoding = "PEM")
  */
 function checkWeakKeyX509($cert, $encoding = "PEM")
 {
  */
 function checkWeakKeyX509($cert, $encoding = "PEM")
 {
-       // non-PEM-encodings may be binary so don't use echo
-       $descriptorspec = array(
-       0 => array("pipe", "r"), // STDIN for child
-       1 => array("pipe", "w"), // STDOUT for child
-       );
        $encoding = escapeshellarg($encoding);
        $encoding = escapeshellarg($encoding);
-       $proc = proc_open("openssl x509 -inform $encoding -text -noout",
-       $descriptorspec, $pipes);
-
-       if (is_resource($proc))
-       {
-               fwrite($pipes[0], $cert);
-               fclose($pipes[0]);
-                       
-               $certText = "";
-               while (!feof($pipes[1]))
-               {
-                       $certText .= fread($pipes[1], 8192);
-               }
-               fclose($pipes[1]);
-                       
-               if (($status = proc_close($proc)) !== 0 || $certText === "")
-               {
-                       return _("I didn't receive a valid Certificate Request, hit ".
-                               "the back button and try again.");
-               }
-       } else {
-               return failWithId("checkWeakKeyCSR(): Failed to start OpenSSL");
+       $status = runCommand("openssl x509 -inform $encoding -text -noout",
+                            $cert, $certText);
+       if ($status === true) {
+               return failWithId("checkWeakKeyX509(): Failed to start OpenSSL");
        }
        }
-
-
+       
+       if ($status !== 0 || $certText === "") {
+               return _("I didn't receive a valid Certificate Request. Hit ".
+                       "the back button and try again.");
+       }
+       
        return checkWeakKeyText($certText);
 }
 
        return checkWeakKeyText($certText);
 }
 
@@ -127,16 +89,17 @@ function checkWeakKeyX509($cert, $encoding = "PEM")
  */
 function checkWeakKeySPKAC($spkac, $spkacname = "SPKAC")
 {
  */
 function checkWeakKeySPKAC($spkac, $spkacname = "SPKAC")
 {
-       /* Check for the debian OpenSSL vulnerability */
-
-       $spkac = escapeshellarg($spkac);
        $spkacname = escapeshellarg($spkacname);
        $spkacname = escapeshellarg($spkacname);
-       $spkacText = `echo $spkac | openssl spkac -spkac $spkacname`;
-       if ($spkacText === null) {
-               return _("I didn't receive a valid Certificate Request, hit the ".
-                               "back button and try again.");
+       $status = runCommand("openssl spkac -spkac $spkacname", $spkac, $spkacText);
+       if ($status === true) {
+               return failWithId("checkWeakKeySPKAC(): Failed to start OpenSSL");
        }
        }
-
+       
+       if ($status !== 0 || $spkacText === "") {
+               return _("I didn't receive a valid Certificate Request. Hit the ".
+                       "back button and try again.");
+       }
+       
        return checkWeakKeyText($spkacText);
 }
 
        return checkWeakKeyText($spkacText);
 }
 
@@ -157,7 +120,7 @@ function checkWeakKeyText($text)
        $algorithm))
        {
                return failWithId("checkWeakKeyText(): Couldn't extract the ".
        $algorithm))
        {
                return failWithId("checkWeakKeyText(): Couldn't extract the ".
-                                       "public key algorithm used");
+                                       "public key algorithm used.\nData:\n$text");
        } else {
                $algorithm = $algorithm[1];
        }
        } else {
                $algorithm = $algorithm[1];
        }
@@ -165,16 +128,15 @@ function checkWeakKeyText($text)
 
        if ($algorithm === "rsaEncryption")
        {
 
        if ($algorithm === "rsaEncryption")
        {
-               if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text,
-               $keysize))
+               if (!preg_match('/^\s*RSA Public Key: \((\d+) bit\)$/m', $text, $keysize))
                {
                        return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
                {
                        return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
-                                               "key size");
+                                               "key size.\nData:\n$text");
                } else {
                        $keysize = intval($keysize[1]);
                }
                } else {
                        $keysize = intval($keysize[1]);
                }
-                       
-               if ($keysize < 1024)
+
+               if ($keysize < 2048)
                {
                        return sprintf(_("The keys that you use are very small ".
                                                "and therefore insecure. Please generate stronger ".
                {
                        return sprintf(_("The keys that you use are very small ".
                                                "and therefore insecure. Please generate stronger ".
@@ -182,14 +144,8 @@ function checkWeakKeyText($text)
                                                "found in %sthe wiki%s"),
                                        "<a href='//wiki.cacert.org/WeakKeys#SmallKey'>",
                                        "</a>");
                                                "found in %sthe wiki%s"),
                                        "<a href='//wiki.cacert.org/WeakKeys#SmallKey'>",
                                        "</a>");
-               } elseif ($keysize < 2048) {
-                       // not critical but log so we have some statistics about
-                       // affected users
-                       trigger_error("checkWeakKeyText(): Certificate for small ".
-                                               "key (< 2048 bit) requested", E_USER_NOTICE);
                }
                }
-                       
-                       
+
                $debianVuln = checkDebianVulnerability($text, $keysize);
                if ($debianVuln === true)
                {
                $debianVuln = checkDebianVulnerability($text, $keysize);
                if ($debianVuln === true)
                {
@@ -204,19 +160,20 @@ function checkWeakKeyText($text)
                        // not vulnerable => do nothing
                } else {
                        return failWithId("checkWeakKeyText(): Something went wrong in".
                        // not vulnerable => do nothing
                } else {
                        return failWithId("checkWeakKeyText(): Something went wrong in".
-                                       "checkDebianVulnerability()");
+                                       "checkDebianVulnerability().\nKeysize: $keysize\n".
+                                       "Data:\n$text");
                }
                }
-                       
+
                if (!preg_match('/^\s*Exponent: (\d+) \(0x[0-9a-fA-F]+\)$/m', $text,
                $exponent))
                {
                        return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
                if (!preg_match('/^\s*Exponent: (\d+) \(0x[0-9a-fA-F]+\)$/m', $text,
                $exponent))
                {
                        return failWithId("checkWeakKeyText(): Couldn't parse the RSA ".
-                                               "exponent");
+                                               "exponent.\nData:\n$text");
                } else {
                        $exponent = $exponent[1]; // exponent might be very big =>
                        //handle as string using bc*()
 
                } else {
                        $exponent = $exponent[1]; // exponent might be very big =>
                        //handle as string using bc*()
 
-                       if (bccomp($exponent, "3") === 0)
+                       if (bccomp($exponent, "65537") < 0)
                        {
                                return sprintf(_("The keys you use might be insecure. ".
                                                        "Although there is currently no known attack for ".
                        {
                                return sprintf(_("The keys you use might be insecure. ".
                                                        "Although there is currently no known attack for ".
@@ -228,9 +185,9 @@ function checkWeakKeyText($text)
                                                "<a href='//wiki.cacert.org/WeakKeys#SmallExponent'>",
                                                "</a>");
                        } elseif (!(bccomp($exponent, "65537") >= 0 &&
                                                "<a href='//wiki.cacert.org/WeakKeys#SmallExponent'>",
                                                "</a>");
                        } elseif (!(bccomp($exponent, "65537") >= 0 &&
-                       (bccomp($exponent, "100000") === -1 ||
-                       // speed things up if way smaller than 2^256
-                       bccomp($exponent, bcpow("2", "256")) === -1) )) {
+                                       (bccomp($exponent, "100000") === -1 ||
+                                       // speed things up if way smaller than 2^256
+                                       bccomp($exponent, bcpow("2", "256")) === -1) )) {
                                // 65537 <= exponent < 2^256 recommended by NIST
                                // not critical but log so we have some statistics about
                                // affected users
                                // 65537 <= exponent < 2^256 recommended by NIST
                                // not critical but log so we have some statistics about
                                // affected users
@@ -239,10 +196,83 @@ function checkWeakKeyText($text)
                                E_USER_NOTICE);
                        }
                }
                                E_USER_NOTICE);
                        }
                }
-       }
 
 
-       /* No weakness found */
-       return "";
+               // No weakness found
+               return "";
+       } // End RSA
+
+/*
+//Fails to work due to outdated OpenSSL 0.9.8o
+//For this to work OpenSSL 1.0.1f or newer is required
+//which is currently unavailable on the systems
+//If DSA2048 or longer is used the CSR hangs pending on the signer.
+       if ($algorithm ===  "dsaEncryption")
+       {
+               if (!preg_match('/^\s*Public Key Algorithm:\s+dsaEncryption\s+pub:\s+([0-9a-fA-F:\s]+)\s+P:\s+([0-9a-fA-F:\s]+)\s+Q:\s+([0-9a-fA-F:\s]+)\s+G:\s+([0-9a-fA-F:\s]+)\s+$/sm', $text, $keydetail))
+               {
+                       return failWithId("checkWeakKeyText(): Couldn't parse the DSA ".
+                                       "key size.\nData:\n$text");
+               }
+
+               $key_pub = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[1]), "ABCDEF", "abcdef");
+               $key_P = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[2]), "ABCDEF", "abcdef");
+               $key_Q = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[3]), "ABCDEF", "abcdef");
+               $key_G = strtr(preg_replace("/[^0-9a-fA-F]/", "", $keydetail[4]), "ABCDEF", "abcdef");
+
+               //Verify the numbers provided by the client
+               $num_pub = @gmp_init($key_pub, 16);
+               $num_P = @gmp_init($key_P, 16);
+               $num_Q = @gmp_init($key_Q, 16);
+               $num_G = @gmp_init($key_G, 16);
+
+               $bit_P = ltrim(gmp_strval($num_P, 2), "0");
+               $keysize = strlen($bit_P);
+
+               if ($keysize < 2048) {
+                       return sprintf(_("The keys that you use are very small ".
+                                               "and therefore insecure. Please generate stronger ".
+                                               "keys. More information about this issue can be ".
+                                               "found in %sthe wiki%s"),
+                                       "<a href='//wiki.cacert.org/WeakKeys#SmallKey'>",
+                                       "</a>");
+               }
+
+               //Following checks based on description of key generation in Wikipedia
+               //These checks do not ensure a strong key, but at least check for enough sanity in the key material
+               // cf. https://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Key_generation
+
+               //Check that P is prime
+               if(!gmp_testprime($num_P)) {
+                       return failWithId("checkWeakKeyText(): The supplied DSA ".
+                                       "key does seem to have a non-prime public modulus.\nData:\n$text");
+               }
+
+               //Check that Q is prime
+               if(!gmp_testprime($num_Q)) {
+                       return failWithId("checkWeakKeyText(): The supplied DSA ".
+                                       "key does seem to have a non-prime Q-value.\nData:\n$text");
+               }
+
+               //Check if P-1 is diviseable by Q
+               if(0 !== gmp_cmp("1", gmp_mod($num_P, $num_Q))) {
+                       return failWithId("checkWeakKeyText(): The supplied DSA ".
+                                       "key does seem to have P mod Q === 1 (i.e. P-1 is not diviseable by Q).\nData:\n$text");
+               }
+
+               //Check the numbers are all less than the public modulus P
+               if(0 <= gmp_cmp($num_Q, $num_P) || 0 <= gmp_cmp($num_G, $num_P) || 0 <= gmp_cmp($num_pub, $num_P)) {
+                       return failWithId("checkWeakKeyText(): The supplied DSA ".
+                                       "key does seem to be normalized to have Q < P, G < P and pub < P.\nData:\n$text");
+               }
+
+               // No weakness found
+               return "";
+       } // End DSA
+*/
+
+
+       return _("The keys you supplied use an unrecognized algorithm. ".
+                       "For security reasons these keys can not be signed by CAcert.");
 }
 
 /**
 }
 
 /**
@@ -268,7 +298,8 @@ function checkDebianVulnerability($text, $keysize = 0)
                $algorithm))
                {
                        trigger_error("checkDebianVulnerability(): Couldn't extract ".
                $algorithm))
                {
                        trigger_error("checkDebianVulnerability(): Couldn't extract ".
-                                       "the public key algorithm used", E_USER_WARNING);
+                                       "the public key algorithm used.\nData:\n$text",
+                                       E_USER_WARNING);
                        return null;
                } else {
                        $algorithm = $algorithm[1];
                        return null;
                } else {
                        $algorithm = $algorithm[1];
@@ -281,7 +312,7 @@ function checkDebianVulnerability($text, $keysize = 0)
                $keysize))
                {
                        trigger_error("checkDebianVulnerability(): Couldn't parse the ".
                $keysize))
                {
                        trigger_error("checkDebianVulnerability(): Couldn't parse the ".
-                                       "RSA key size", E_USER_WARNING);
+                                       "RSA key size.\nData:\n$text", E_USER_WARNING);
                        return null;
                } else {
                        $keysize = intval($keysize[1]);
                        return null;
                } else {
                        $keysize = intval($keysize[1]);
@@ -312,7 +343,7 @@ function checkDebianVulnerability($text, $keysize = 0)
        $text, $modulus))
        {
                trigger_error("checkDebianVulnerability(): Couldn't extract the ".
        $text, $modulus))
        {
                trigger_error("checkDebianVulnerability(): Couldn't extract the ".
-                               "RSA modulus", E_USER_WARNING);
+                               "RSA modulus.\nData:\n$text", E_USER_WARNING);
                return null;
        } else {
                $modulus = $modulus[1];
                return null;
        } else {
                $modulus = $modulus[1];
@@ -339,7 +370,7 @@ function checkDebianVulnerability($text, $keysize = 0)
        // $checksum and $blacklist should be safe, but just to make sure
        $checksum = escapeshellarg($checksum);
        $blacklist = escapeshellarg($blacklist);
        // $checksum and $blacklist should be safe, but just to make sure
        $checksum = escapeshellarg($checksum);
        $blacklist = escapeshellarg($blacklist);
-       exec("grep $checksum $blacklist", $dummy, $debianVuln);
+       $debianVuln = runCommand("grep $checksum $blacklist");
        if ($debianVuln === 0) // grep returned something => it is on the list
        {
                return true;
        if ($debianVuln === 0) // grep returned something => it is on the list
        {
                return true;