[openssl-users] Why openssl 1.0.1p accepts composite $q$ in DSA?

Erwann Abalea erwann.abalea at opentrust.com
Wed Sep 9 12:35:18 UTC 2015


> Le 9 sept. 2015 à 14:17, Georgi Guninski <guninski at guninski.com> a écrit :
> On Wed, Sep 09, 2015 at 12:07:43PM +0000, Viktor Dukhovni wrote:
>>> Are you saying I can't sign the cert with another cert
>>> (the pubkey is easy to extract from the cert) with openssl?
>> If you control a trusted root CA, or an intermediate CA issued
>> (possibly indirectly) by a trusted root CA, you can sign anything
>> you want and it will be trusted.  The fact that malfeasant CAs can
>> compromise security is not new.
>> If you don't control a trusted CA, what significance would such a
>> signature carry?  Yes, most certificates (sometimes constrained by
>> KeyUsage) can be used for signing, but unless "CA=true", they can't
>> be used to sign other certificates that will be trusted by peers.
> I am gonna leave this list very soon.
> Feel free to CC me with answer:
> If I am CA and sign cert requests with vanilla openssl,
> will I sign a composite $q$?

If you’re a CA and sign cert requests, you’re responsible to check the public key you’re signing.
You could also sign an RSA key with e=1 or a dumb modulus, and it’s not a backdoor in RSA or OpenSSL.

More information about the openssl-users mailing list