certtool --generate-privkey leaks private key by default
Description of problem:
When using certtool to generate a private key and specifying a password, the expectation is that the output file only contains the encrypted private key. However, it currently also contains the detailed info the key, leaking private key information in clear text.
Version of gnutls used:
3.6.9
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Windows binary
How reproducible:
Steps to Reproduce:
- Run
certtool --generate-privkey --sec-param=Medium --password=test --outfile=ca.key
Actual results:
ca.key file also contains detailed info (e.g. prime1, prime 2, etc.)
Public Key Info:
Public Key Algorithm: RSA
Key Security Level: Medium (2048 bits)
modulus:
00:b0:58:0d:ec:df:66:44:a7:69:61:71:99:1d:46:91
b0:c3:57:6e:36:38:a6:20:8c:59:56:b5:0c:53:69:af
c8:7e:a1:7e:d0:76:04:0c:17:f6:f2:f7:2c:bf:3f:42
13:e1:ba:90:05:74:49:a8:bb:82:54:6c:fd:8f:4b:f7
2b:8c:45:98:e5:1e:f9:83:98:b7:9e:5f:ad:4b:ac:ec
c6:ab:c8:fc:39:61:e7:56:a0:7a:17:0f:c6:7b:59:b5
52:ac:96:33:52:af:aa:b5:9b:5b:52:53:45:f1:6b:00
22:8c:36:ae:92:5a:2b:79:53:a2:0c:0a:c7:ec:99:8b
25:d8:d9:50:2d:86:67:44:49:e8:81:ef:f0:f8:2c:4a
82:08:47:fe:6b:a7:7d:ec:ea:16:84:0c:b7:af:61:b4
e0:0f:cb:5c:f9:53:17:13:02:75:02:c3:43:09:8f:91
a7:f9:24:5d:2c:6c:e2:2f:9d:8f:1e:27:cf:50:b3:40
e1:b2:d9:97:e0:99:59:17:4a:c2:25:41:e9:e6:85:8b
80:3c:89:c4:4c:8f:03:f6:17:60:61:21:88:6c:89:71
0f:4b:1b:73:ab:8e:fb:79:19:19:e6:00:33:95:ff:3d
52:fa:51:13:09:62:03:d5:17:46:d4:60:c8:70:91:1a
37:
public exponent:
01:00:01:
private exponent:
51:ca:75:a3:01:37:10:ee:c9:3c:ee:10:83:78:a0:c8
68:c2:1b:97:40:8d:25:19:93:b2:58:c4:ff:c7:4c:45
e5:1e:08:90:ad:bc:50:d3:a8:b1:a6:9d:75:92:e4:96
0e:23:96:fb:40:a5:8d:82:72:ff:af:91:a7:ae:27:55
66:79:3d:62:40:0c:a0:d1:eb:90:a4:75:df:5c:b4:71
ad:69:ca:3a:df:43:0a:75:e2:4a:e2:01:40:63:2a:6b
cf:2a:d7:61:29:a3:37:1a:78:af:e5:79:d2:70:bb:9e
4a:84:6e:51:e9:4a:b2:ba:6c:b5:c3:26:59:82:19:fc
4d:cb:2e:4e:01:b2:fe:27:67:7e:da:44:03:56:e8:71
e9:ff:2e:e3:be:18:c6:38:91:f2:2d:15:41:3c:e4:4e
20:a1:b3:81:fe:49:a9:a1:88:5b:33:a6:fe:e6:93:b9
c3:a8:50:c4:08:c2:1b:0a:68:8e:3a:c1:8c:94:6a:d9
16:ce:96:73:58:d8:92:0f:1d:20:77:4f:57:8b:e2:71
da:98:33:91:8f:ec:e1:a9:dc:da:97:9f:73:4e:d9:fc
0e:7a:54:00:39:22:ce:c5:4c:71:6f:db:15:8f:44:7d
aa:84:b1:61:16:1a:c2:14:87:e1:3c:6c:b9:7d:4a:29
prime1:
00:d1:8d:b3:39:f0:cd:e4:a6:d5:3f:0f:b1:5f:c1:30
1e:6d:b9:3a:f7:90:cd:26:df:02:6b:22:cd:d4:4f:6b
54:67:f0:79:1a:48:92:ff:0c:8e:3f:85:a8:0b:72:85
34:4b:70:41:e1:79:bb:61:38:b8:ee:53:51:cb:07:ed
89:68:8e:9e:dc:24:d3:43:7b:6f:00:a5:f7:ad:43:7d
af:ab:ec:3a:2d:9c:88:65:69:ed:70:81:2a:44:54:da
24:6b:de:be:75:f5:ec:db:80:e8:3c:25:3c:60:02:87
be:ea:2b:ff:a7:14:ce:28:5f:70:99:5c:d9:dd:b4:a3
75:
prime2:
00:d7:6e:01:da:3e:2e:12:54:46:4d:da:08:c1:62:11
76:a0:03:a4:b2:87:52:08:7d:31:91:50:0f:13:e8:d4
88:1e:78:65:1f:dd:b4:bb:5c:56:3e:d0:9b:95:ff:50
69:e1:72:69:90:14:a4:ec:f6:04:39:51:a2:09:5e:f5
f3:4a:1a:14:de:7e:c8:04:09:46:31:95:67:6c:7e:ae
e4:d3:df:41:0d:fb:3a:b1:e0:f6:17:11:7d:7c:ae:cc
08:f9:f2:b7:b2:95:fd:c3:a2:a0:7d:42:4a:14:27:4a
37:7d:59:2e:ca:68:aa:93:c9:72:84:73:9d:67:7f:2d
7b:
coefficient:
00:8a:73:1c:b2:3d:5d:6d:27:d6:a2:72:4f:f1:33:6d
8d:09:58:3c:9d:fa:67:44:05:ea:18:08:88:18:ea:9a
20:5f:b1:4a:ab:94:54:34:6d:65:a2:d5:5c:d2:e7:7b
c6:e8:03:7c:16:7d:ce:4a:ad:6a:67:42:38:ec:f3:7d
62:86:7f:07:bb:b3:4e:53:be:92:e3:1d:cf:4b:ef:dd
1a:58:e3:2a:8d:f5:bb:51:51:bb:d4:c1:01:8b:40:47
95:ee:55:96:8a:65:fb:f7:41:1e:b2:80:82:13:15:ce
22:76:6f:a3:d1:1d:4c:ba:30:63:fc:49:d3:94:f6:a0
ea:
exp1:
02:0b:0e:a7:4e:f8:c2:f4:f9:79:4e:ee:dc:cf:26:67
f5:8b:eb:ce:44:24:2b:ef:da:b7:2e:b4:b1:10:41:2c
a6:82:ca:bb:7d:df:a9:0a:f7:4c:19:42:85:32:0d:a8
6f:df:dd:54:94:7a:46:3d:66:58:34:89:c4:a0:04:29
e5:d2:16:2c:71:53:7a:01:f7:18:1b:86:29:b3:51:c3
67:ba:ba:ea:7c:ef:3b:85:e7:e1:c3:f0:a4:8f:eb:3c
95:ac:ab:50:bd:20:1d:17:c9:ab:e4:75:0d:3e:99:12
3c:78:47:5a:da:b2:13:e4:b2:55:5c:79:67:56:fe:8d
exp2:
00:96:34:c6:a7:e3:d8:fd:c0:b2:f0:4f:48:f1:85:2e
45:f6:d5:f3:7c:e3:2b:48:6d:fa:24:a6:9c:8c:b6:37
91:dd:24:f6:e5:5c:11:4a:dd:db:e8:9a:4d:11:2d:de
64:a4:e3:c0:44:cc:90:1e:04:7e:f7:74:3a:b5:ab:f7
73:35:c4:af:ae:5e:d9:99:2e:da:39:72:41:95:7d:52
f6:8b:df:cb:1d:33:81:3e:4b:6b:6a:b4:30:39:c2:2a
d3:4b:6b:77:b7:d6:2b:04:c0:1c:84:99:b6:cb:0c:86
0b:e0:a3:51:23:a2:0c:e5:54:7d:3b:6a:dd:62:2f:63
87:
Public Key PIN:
pin-sha256:A8MoDZeGSq3HADc46OvE+/Je5LZSwW4kvUMzjjvq8s0=
Public Key ID:
sha256:03c3280d97864aadc7003738e8ebc4fbf25ee4b652c16e24bd43338e3beaf2cd
sha1:5947e0a116691046217d205b0592489f883be0f1
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIE6jAcBgoqhkiG9w0BDAEDMA4ECAcH0j010SCPAgIULgSCBMjbRzGjqL5OuNo+
m+mxptyojmZLaEhvMNcEUv/ZAej/95FiiRJLhUlJEVQMzBjd8R/6aj+Fs3IN/PcB
vhKgwVOWaygBrtjL1EPFr0qDhu8YecWFc0IrWT/1Vd7Z6Vcg2yO0+VQ5LadDzabi
z+yjlaAy3Vg/Ho/RZz3xcnOh1iQyyjy+vprGhcdc+1ys2lA68xrqX60lGXf41XCc
V+crdzmMycWh1IwctpSiiyK3nE7S/yA8hjeVJSlBI18fUQ+FcjShYL2HK8sbFru7
M9Nl2F22Gyh9F5mHlydjpQ426FzOiXVXtv4pfbsIgg8c+RW9WYilwqunLHmj4aWr
vMJHl0HkmqtZj2oEmMl3FhO0MaX/ulGNMT7tLzNG+DxX7rA0Ej2Psv3xy+SvhIlC
KNbxbgFk4tG9ThrR+t2Fi5PnZLs/3HnzesPC2NUbPZsie0/K6tvdODm2cFiNnbkl
LW3gaxZV4OTFsJiITrSHlZ6g7HANyavTFtfPAxMn9VMAvi0lD6wUqA/dAPec5JoX
o7iiIoAzwt53zawqYmxUZqf+L7yirZI+t/3Rwg2S8SVA7+N0ioGfaNyKjeZ/HR1D
szJc6/mAyTYBx2XJrsreBMlZQzxhv8XbR6fPFtqrKxI/Nzb/EmAXuUlbO/yP5i3r
lCdwKPnEzTKDFSt+1wz1bgN+6eKEAYS9qdBNKNEfrygQyLBuMfo07v4GeLCevczT
yM+Jgatyi3ubq2r4OhfXAlpbzPS3f01xBvSS+R8xyL9VwrPqTQ0KrT27MEnbMdiy
ccVr/tXTe9qNz/sqkQG9kWGWMIUnLdY2kJ7rhLRYm+nr2OLEqmwCaHF0MO9hbhRL
L7QXkytYOaPk0A99VUASPs5c8BHnkmbHyH5IbuQvVuR1dJPYN/0TPb/ip1r+vbZe
+4L5rnYbo4Y/O64kdfGi2+h0o7Njsd3/dCP3BQv3YzDGmeFGpIzOn2vYRTOxfvpD
9FX17sRmHsRkKc9Yptyp3AwczfuJCwX20BLHHeVZ8X14HpzU9iVdDEjN2uH4j/gb
u3iz9aBr/7tYrXrvRpZWggvQx8hwsgjFzWXd0Zmmk+VyPkHsHAehxfJCjiV2MUmq
txH6x2qW7MB59C5VjYr4PiHR9NWuxAMnozIarzwNiQ+ilwmR3lRChtMuXiMas7ZJ
c0jsPS/UUDw8XVrjDzHbNqXtqhDiosghY82rW21b+lDy3+32w/SQPoyZjTDxHP5W
oqBz+VbR/J9NUQezDwlA2bhSRwsFnTsMmGIsrsSE/OSvdNKMOcnPgHBYz/Dz6pgP
DZu9GRBQI7oflZM1Gvaj/mut7n3S6HXpyBUZ+RajEv/um9/eZ/ejFLt+0uKtX59g
kH4wKld2K0TF53ni2P0UfQit48XunBZ9lciCfPiaZsvjdq0PtgIIMLlWFNu8kV/G
0ZZOgpl6ZQAzIB+f5cMBYMojUI0aAvry5wCyBaSSgB3nY0UYtmFC8NkroP5th0T+
JkU4O4Fb2AimFYWwLlveg9knpXhjz08MTK7kF+9NiCjmzynGC9e9l53EoWwptosk
81+dqxEStZU03drwPOpesUn8hlec7bVY0wVdikv0qV1ZiDOgl9wzSw0OezxezmLp
UthpsN3TJUvwrBppbdc=
-----END ENCRYPTED PRIVATE KEY-----
Expected results:
ca.key contains only encrypted private key (i.e. -----BEGIN ENCRYPTED PRIVATE KEY-----
)
Looking at certtool source history, it looks that this change: a0754ce5 added support for --no-text
option but does not check anymore if output is encrupted.
--no-text
should be implied if output is encrypted.
Edited by Adrien Montfaucon