Check for Weak Debian Keys

The following describes how to check for weak Debian keys on the EJBCA Hardware Appliance.

The instructions have been tested against the EJBCA Hardware Appliance version 3.2.0.

Background

Due to an issue (CVE-2008-0166) from 2006 in OpenSSL, where a vulnerable version of the library only used the PID as seed when generating RSA or DSA keys, an attacker can find the private key from the corresponding public without much effort. The Debian project created blacklists and you can check certificates against these blacklists to check for weak Debian keys.

Create Script on the Appliance

To create a script on the Hardware Appliance:

  1. Go to the Appliance WebConf, click Platform > Platform access and enable SSH.
  2. Transfer the file debian-weak-keys.tar.xz to the appliance using e.g. WinSCP.
  3. Log in using SSH and transfer the file debian-weak-keys.tar.xz to cos-ejbca.

    Replace MGMT_IP with the IP address of the management interface shown on the appliance front display.

    ssh root@MGMT_IP
    scp debian-weak-keys.tar.xz cos-ejbca:
  4. Jump to cos-ejbca.

    ssh cos-ejbca
  5. Create directories in /etc.

    mkdir -p /etc/weak-keys/all-lists
  6. Extract the file with the Debian blacklists.

    tar -C /etc/weak-keys/all-lists -xf debian-weak-keys.tar.xz
  7. Create a script which can be attached to a validator in EJBCA.

    /etc/weak-keys/weak-keys.sh

    #!/bin/sh
    output=`grep $(openssl x509 -noout -pubkey -inform DER -in $1 \
        | openssl rsa -pubin -noout -modulus \
        | sha1sum | cut -d ' ' -f 1 | cut -c 21-) \
        /etc/weak-keys/all-lists/blacklist*`
    if [ -z "$output" ]; then
      logger "The public key in the certificate is not on a known weak Debian key."
      exit 0
    else
      logger "Known weak Debian key was detected in certificate."
      logger "You can inspect the base64 encoded certificate shown below:"
      logger `cat $1 | base64`
      exit 1
    fi
  8. Set permissions for WildFly.

    chown -R user:user /etc/weak-keys
    chmod +x /etc/weak-keys/weak-keys.sh

Create External Command Certificate Validator

To create an External Command Certificate Validator:

  1. Open the EJBCA CA Web and go to System Configuration > External Scripts. Select Enable External Script Access and then configure the whitelist according to the following example.

  2. Go to Validators and create an external command certificate validator with the following settings:
    • Validator Type: External Command Certificate Validator.
    • Full pathname of script: /etc/weak-keys/weak-keys.sh.
    • Fail on script error code: Enabled.
    • Fail on output to error out: Enabled.
    • Issuance Phase: Pre-certificate Validation.
    • If Validation failed: Abort certificate issuance.
  3. Click Save to save the validator.

Test Validator

To test the validator:

  1. To test if your setup works, edit the validator created in the previous section.
  2. Copy-paste the PEM certificate shown below and save it as a file called test-blacklist.pem.

    -----BEGIN CERTIFICATE-----
    MIIFzDCCA7SgAwIBAgIQB66bp3FYMWG3OiIbZKgNPzANBgkqhkiG9w0BAQsFADBp
    MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24x
    GDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjEeMBwGA1UEAwwVU1NMLmNvbSBSU0Eg
    U1NMIHN1YkNBMB4XDTIwMDMwNDAwMjczNVoXDTIwMDYwMjAwMjczNVowFzEVMBMG
    A1UEAwwMbGViZXJnZXIuYml6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
    AQEA+TYH57WzTTfARNmo/Vx8/TGHD774iWbQoglRH+RGeFjgjoDGongoYr9jDwwX
    c1QxK36fojJ5zmDxIsvn/CsIRBj1aWCWvJons4LGfvEEmnZWuyhWleLKxmTvgbFb
    VMyLe+3fsuKjrktntuhpK75GXkpcErKS/3aGFY3UbMDp5qmGTZfZbXUAOTBq6Uvj
    6SyyeGrxrR+xRFAYCrB80ilLL2XlZ9hjqXge7qhhSxP5JYcVG4Fr8BvwhzoQ9zV1
    tdEuU6E+nZlvA6m4Qm4pQByCMMRH2BoqBL4n1aR1fNu+WdWHMC3uVmq2P5WZNsYK
    gdccVMmlHGVfRbhC1wuCty4QUwIDAQABo4IBwDCCAbwwHwYDVR0jBBgwFoAUJhR+
    4NzXpvfi1AQn32HxwuznMsowfAYIKwYBBQUHAQEEcDBuMEoGCCsGAQUFBzAChj5o
    dHRwOi8vd3d3LnNzbC5jb20vcmVwb3NpdG9yeS9TU0xjb20tU3ViQ0EtU1NMLVJT
    QS00MDk2LVIxLmNydDAgBggrBgEFBQcwAYYUaHR0cDovL29jc3BzLnNzbC5jb20w
    KQYDVR0RBCIwIIIMbGViZXJnZXIuYml6ghB3d3cubGViZXJnZXIuYml6MFEGA1Ud
    IARKMEgwCAYGZ4EMAQIBMDwGDCsGAQQBgqkwAQMBATAsMCoGCCsGAQUFBwIBFh5o
    dHRwczovL3d3dy5zc2wuY29tL3JlcG9zaXRvcnkwHQYDVR0lBBYwFAYIKwYBBQUH
    AwIGCCsGAQUFBwMBMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmxzLnNzbC5j
    b20vU1NMY29tUlNBU1NMc3ViQ0EuY3JsMB0GA1UdDgQWBBTCxWii5RK9474UxOJB
    wLerjO2QbTAOBgNVHQ8BAf8EBAMCBaAwEwYKKwYBBAHWeQIEAwEB/wQCBQAwDQYJ
    KoZIhvcNAQELBQADggIBAA+2tsRNgQIQMs93Q+NNCQgzj+9avNUbT8s1hZHBkoyf
    3zGgMRJgZkJ/xSEG/www/0SXKhhg8Bnp6r4PfpGn5t+T1XkZz8PhMvQlCT/zPBqC
    8W7voCSMdG0klWqz2hBJ3lNzEmHLKrkp63SM17xE8rGDd0oMfjKwxZKwb7z40jrA
    isEUWNq6FzSPiNllNJq7IbOffEuR0/oz21a3vruPJGB0opWYPBqQcLzemnEXDPEZ
    R2NzfSZB5UzZfAtGLbjxYoMXK+7JLoQjsPpQWlJqGjVaHd9K+Lthg1THwYtdMekK
    Flobw8WirkmuKBZEmo8x6nobfFh2VaBOjA8AXRr6jEO3EjwKvCHDm32td9SkDXe7
    tP4IO/gJma4dxWKV1Hyu/1/6qPUVn55XCCAiuyZcDo3A0t0nSIR8iGbyBtQb0OJH
    SzOyGFJ2SLM8lmyl3eJzXc5YLcJso4S2ZVgZQ9KVApitjvlBvgL7BPskNZxI/c0T
    ISPlOeYtD0O/rxQuQakWOqal9hk+l4Rrd7O+UguXijB92h/40AfLsaLUCRxBZgXA
    tSMLQNleqFMpxIwA93Ybm+iT3FmBqqDNZ2cJ77NTVL3sKeF77b0Xdppn+93Rz51z
    K9UmDRX973f9qi9p/1PbofcOBKZnMaFp7O7kXfdBRaXzslhSLDE2/X+Kx7SVe0GV
    -----END CERTIFICATE-----
  3. Upload test-blacklist.pem and click Test command.

  4. Expected log output in the syslog of cos-ejbca:

    > tail -f /var/log/sys.log
    Jun 24 17:29:16 cos-ejbca root: Known weak Debian key was detected in certificate.
    Jun 24 17:29:16 cos-ejbca root: You can inspect the base64 encoded certificate shown below:
    Jun 24 17:29:16 cos-ejbca root: <base64 encoded certificate>
  5. Expected output of the WildFly log file:
    17:29:16,247 INFO  [org.cesecore.keys.validation.ExternalCommandCertificateValidator] (ajp--0.0.0.0-8009-4) Test external command certificate validator Debian Weak Key Check
    17:29:16,295 INFO  [org.cesecore.keys.validation.ExternalCommandCertificateValidator] (ajp--0.0.0.0-8009-4) Could not call external command '/etc/weak-keys/weak-keys.sh' with arguments [/tmp/org.cesecore.keys.validation.ExternalCommandCertificateValidator-1593012556248505049562192935548.tmp] sucessfully: Detected errors while running the external application /etc/weak-keys/weak-keys.sh.
    The message Could not call external command means that the script returned a non-zero exit status, which is the expected behavior when the certificate contains a weak Debian key.

Enable Validator for a CA

To enable the validator for a CA:

  1. Go to Certification Authorities and select the CA for which you want to enable the validator.
  2. In the Other Data section, select the validator you just created and click Save. The validator will now run every time you issue a certificate from this CA.

Maintenance Notes

The script and the blacklists will be wiped after a factory reset of the appliance. If you perform a factory reset and restore a backup, you must add the script and the blacklists again. If you forget to do so, the validation will fail.

If you have a CA cluster, you need to add the script and the blacklists to all nodes in the cluster. The files in /etc are not automatically synchronized between the nodes.