openssl 1.1.1t: problems with CA.pl and $HOME/.rnd
Matthias Apitz
guru at unixarea.de
Thu May 25 11:56:37 UTC 2023
Hello,
This is with openssl 1.1.1t, self compiled on Linux SuSE SLES 15:
/usr/local/sisis-pap/bin/openssl version
OpenSSL 1.1.1t 7 Feb 2023
export OPENSSL_CONFIG=/usr/local/sisis-pap/openssl.cnf
export OPENSSL=/usr/local/sisis-pap/bin/openssl
cp -p /usr/local/sisis-pap/misc/CA.pl .
./CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
====
/usr/local/sisis-pap/bin/openssl req /usr/local/sisis-pap/openssl.cnf -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
req: Use -help for summary.
...
If I look into
/usr/local/sisis-pap/bin/openssl req -help
"req" does not seem to expect a config file there, but CA.pl
sets it:
grep 'my $REQ' CA.pl
my $REQ = "$openssl req $OPENSSL_CONFIG";
Next try without OPENSSL_CONFIG:
unset OPENSSL_CONFIG
./CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
====
/usr/local/sisis-pap/bin/openssl req -new -keyout ./demoCA/private/cakey.pem -out ./demoCA/careq.pem
Can't load /home/sisis/.rnd into RNG
140713478350656:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/home/sisis/.rnd
Generating a RSA private key
Why it wants to load %HOME/.rnd?
I looked into openssl-1.1.1t/crypto/rand/randfile.c
53 #define RFILE ".rnd"
97 if ((in = openssl_fopen(file, "rb")) == NULL) {
98 RANDerr(RAND_F_RAND_LOAD_FILE, RAND_R_CANNOT_OPEN_FILE);
99 ERR_add_error_data(2, "Filename=", file);
100 return -1;
101 }
and after line 287, RFILE is appended to $HOME. And mode "rb" (b is ignored on Linux)
wants the file for reading, i.e. existing.
matthias
--
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
More information about the openssl-users
mailing list