Re: openSSL Key generation

From: Stephen Samuel (samuel@bcgreen.com)
Date: 02/15/03

  • Next message: Nick Austin: "Re: LKM Trojan installed" 
    Date: Fri, 14 Feb 2003 20:36:07 -0800
From: Stephen Samuel <samuel@bcgreen.com>
To: "Michal Luczak (warf)" <warf@wp-sa.pl>, focus-linux@securityfocus.com

    When I tested to see if the trick below worked as a pipe, I got the
    following:
    dd if=/dev/urandom bs=1024 count=1024 |/usr/bin/openssl genrsa -rand - 1024 > server.key
    0 semi-random bytes loaded
    Generating RSA private key, 1024 bit long modulus
    ....++++++
    ................++++++
    e is 65537 (0x10001)
    5+0 records in
    4+0 records out

    (The output from DD is ignored, and the pipe write fails once the
    pipe fills up and openssl dies).

    I get the same result if I use Non_existant_file instead of '='

    The point here is that if the random byte input file doesn't exist
    (or is un-openable), openssl silently ignores the error snd continues
    with no input data. This is not (for me at least) the expected response.
    I would, at the very least, expect an error message and, perhaps a non-zero
    return code. Preferrably, it should refuse to generate the key until the
    obvious error is corrected.

    Michal Luczak (warf) wrote:

    > If you really want to use /dev/urandom then try something like this:
    > ~ # dd if=/dev/urandom of=/tmp/random.data bs=1024 count=1024
    > 1024+0 records in
    > 1024+0 records out
    > ~ # time /usr/bin/openssl genrsa -rand /tmp/random.data 1024 > server.key
    > 1048576 semi-random bytes loaded
    > Generating RSA private key, 1024 bit long modulus 

    -- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.