--- openssl-blacklist-0.5.orig/debian/copyright
+++ openssl-blacklist-0.5/debian/copyright
@@ -0,0 +1,24 @@
+Format-Specification: http://wiki.debian.org/Proposals/CopyrightFormat?action=recall&rev=178
+Upstream-Name: openssl-blacklist
+Upstream-Maintainer: Jamie Strandboge <jamie@canonical.com>
+ Kees Cook <kees@debian.org>
+Upstream-Source: svn://svn.debian.org/pkg-openssl/openssl-blacklist
+
+Files: *
+Copyright: Copyright 2008-2011, Canonical Ltd.
+License: GPL-3
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+ On Debian systems the full text of the GNU General Public License can be found
+ in the `/usr/share/common-licenses/GPL-3' file.
--- openssl-blacklist-0.5.orig/debian/watch
+++ openssl-blacklist-0.5/debian/watch
@@ -0,0 +1 @@
+# See http://anonscm.debian.org/viewvc/pkg-openssl/openssl-blacklist/
--- openssl-blacklist-0.5.orig/debian/compat
+++ openssl-blacklist-0.5/debian/compat
@@ -0,0 +1 @@
+5
--- openssl-blacklist-0.5.orig/debian/openssl-blacklist.install
+++ openssl-blacklist-0.5/debian/openssl-blacklist.install
@@ -0,0 +1,3 @@
+usr/share/openssl-blacklist/blacklist.RSA-1024
+usr/share/openssl-blacklist/blacklist.RSA-2048
+usr/bin/openssl-vulnkey
--- openssl-blacklist-0.5.orig/debian/rules
+++ openssl-blacklist-0.5/debian/rules
@@ -0,0 +1,90 @@
+#!/usr/bin/make -f
+VERSION=$(shell dpkg-parsechangelog | grep ^Version: | cut -d" " -f2)
+
+configure: configure-stamp
+configure-stamp:
+ dh_testdir
+ # Add here commands to configure the package.
+ touch $@
+
+
+build: build-stamp
+build-stamp: configure-stamp
+ dh_testdir
+ # Add here commands to compile the package.
+ sh ./test.sh
+ touch $@
+
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp configure-stamp
+ # Add here commands to clean up after the build process.
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_clean -k
+ dh_installdirs
+ mkdir -p $(CURDIR)/debian/tmp/usr/bin
+ mkdir -p $(CURDIR)/debian/tmp/usr/share/openssl-blacklist
+ # Add here commands to install the package into debian/openssl-blacklist.
+ cp $(CURDIR)/openssl-vulnkey $(CURDIR)/debian/tmp/usr/bin/openssl-vulnkey
+ sed -i -e 's/@VERSION@/$(VERSION)/' $(CURDIR)/debian/tmp/usr/bin/openssl-vulnkey
+ # Trim blacklists to reduce the size of the package without too
+ # drastically creating false positives.
+ for keysize in 512 1024 2048 4096; do \
+ cat $(CURDIR)/debian/blacklist.prefix > $(CURDIR)/debian/tmp/usr/share/openssl-blacklist/blacklist.RSA-$$keysize; \
+ cat $(CURDIR)/blacklists/be32/blacklist-$$keysize.db $(CURDIR)/blacklists/le32/blacklist-$$keysize.db $(CURDIR)/blacklists/le64/blacklist-$$keysize.db | cut -d ' ' -f 5 | cut -b21- | sort >> $(CURDIR)/debian/tmp/usr/share/openssl-blacklist/blacklist.RSA-$$keysize; \
+ done
+
+# Build architecture-dependent files here.
+binary-arch: build install
+# We have nothing to do by default.
+
+# Build architecture-independent files here.
+binary-indep: build install
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs
+ dh_installdocs
+ dh_installexamples examples/*.pem examples/*.csr examples/*.key examples/gen_certs.sh examples/getpid.c
+ dh_install --sourcedir=debian/tmp
+# dh_installmenu
+# dh_installdebconf
+# dh_installlogrotate
+# dh_installemacsen
+# dh_installpam
+# dh_installmime
+# dh_installinit
+# dh_installcron
+# dh_installinfo
+ dh_python2
+ dh_installman $(CURDIR)/openssl-vulnkey.1
+ dh_link
+ dh_strip
+ dh_compress
+ dh_fixperms
+# dh_perl
+# dh_makeshlibs
+ dh_installdeb
+ dh_shlibdeps
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb -- -Zbzip2
+
+get-orig-source:
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install configure get-orig-source
+
+ORIG_VERSION=$(shell echo "$(VERSION)" | cut -d- -f1)
+ORIG_FILE=$(CURDIR)/../openssl-blacklist_$(ORIG_VERSION).orig.tar.gz
+SVN_CO_DIR=$(CURDIR)/openssl-blacklist-$(ORIG_VERSION)
+get-orig-source:
+ test ! -e $(ORIG_FILE)
+ test ! -e $(SVN_CO_DIR)
+ svn co svn://svn.debian.org/pkg-openssl/openssl-blacklist/trunk $(SVN_CO_DIR)
+ tar czf $(ORIG_FILE) -C `dirname $(SVN_CO_DIR)` --exclude .svn `basename $(SVN_CO_DIR)`/blacklists
+ rm -rf $(SVN_CO_DIR)
--- openssl-blacklist-0.5.orig/debian/openssl-blacklist.dirs
+++ openssl-blacklist-0.5/debian/openssl-blacklist.dirs
@@ -0,0 +1,3 @@
+usr/bin
+usr/share/doc/openssl-blacklist/examples
+usr/share/openssl-blacklist
--- openssl-blacklist-0.5.orig/debian/control
+++ openssl-blacklist-0.5/debian/control
@@ -0,0 +1,31 @@
+Source: openssl-blacklist
+Section: net
+X-Python-Version: >= 2.5
+Priority: optional
+Maintainer: Kees Cook <kees@debian.org>
+Uploaders: Jamie Strandboge <jamie@ubuntu.com>, Christoph Martin <christoph.martin@uni-mainz.de>
+Build-Depends: debhelper (>= 5.0.38), python (>= 2.6.6-3~), openssl (>= 0.9.8g-9)
+Standards-Version: 3.9.2
+Vcs-Browser: http://svn.debian.org/wsvn/pkg-openssl/openssl-blacklist
+Vcs-Svn: svn://svn.debian.org/pkg-openssl/openssl-blacklist/
+
+Package: openssl-blacklist
+Architecture: all
+Pre-Depends: dpkg (>= 1.10.24)
+Depends: ${misc:Depends}, ${python:Depends}, openssl (>= 0.9.8g-9)
+Description: Blacklists for OpenSSL RSA keys and tools
+ This package contains the openssl-vulnkey tool and the common lists of
+ known-bad OpenSSL keys to use when examining suspect keys with
+ openssl-vulnkey.
+ .
+ RSA-1024, RSA-2048
+
+Package: openssl-blacklist-extra
+Architecture: all
+Pre-Depends: dpkg (>= 1.10.24)
+Depends: ${misc:Depends}, ${python:Depends}, openssl-blacklist
+Description: Non-default blacklists of OpenSSL RSA keys
+ This package contains the uncommon lists of known-bad OpenSSL keys to use when
+ examining suspect keys with openssl-vulnkey.
+ .
+ RSA-512, RSA-4096
--- openssl-blacklist-0.5.orig/debian/openssl-blacklist-extra.dirs
+++ openssl-blacklist-0.5/debian/openssl-blacklist-extra.dirs
@@ -0,0 +1 @@
+usr/share/openssl-blacklist
--- openssl-blacklist-0.5.orig/debian/blacklist.prefix
+++ openssl-blacklist-0.5/debian/blacklist.prefix
@@ -0,0 +1,6 @@
+# After these initial comments, each line must consist of the lower-case key
+# modulus checksum:
+# openssl rsa -noout -modulus -in /tmp/key.pem | sha1sum | cut -d ' ' -f 1)
+# with the first 20 characters removed (that is, the lower 80 bits of the
+# fingerprint). Unless these rules are followed, the blacklist will not work
+# properly. See openssl-vulnkey(1).
--- openssl-blacklist-0.5.orig/debian/changelog
+++ openssl-blacklist-0.5/debian/changelog
@@ -0,0 +1,156 @@
+openssl-blacklist (0.5-3) unstable; urgency=low
+
+ * openssl-vulnkey: adjust for new openssl 1.0.0 output (Closes: #628332)
+ * fix test suite when run as root. Patch from Moritz Muehlenhoff.
+ (Closes: #612461)
+ * convert to dh_python2. Patch from Colin Watson (Closes: #616927)
+ * make lintian -Ivi clean
+ - debian/control: update Standards-Version to 3.9.2
+ - debian/control: add ${misc:Depends} to binaries
+ - debian/control: make Description more verbose
+ - debian/copyright: convert to DEP-5
+ - openssl-vulnkey.1: fix some hyphens as minuses
+ - add debian/source/format
+ - add comments only debian/watch file
+
+ -- Jamie Strandboge <jamie@ubuntu.com> Wed, 22 Jun 2011 11:14:53 -0500
+
+openssl-blacklist (0.5-2) unstable; urgency=low
+
+ * test.sh: fix executable state of openssl-vulnkey (Closes: #525042).
+
+ -- Kees Cook <kees@debian.org> Wed, 06 May 2009 12:12:09 -0700
+
+openssl-blacklist (0.5-1) unstable; urgency=low
+
+ [ Kees Cook ]
+ * openssl-vulnkey:
+ - replace sha with hashlib Python module to silence Python 2.6 warnings.
+ - adjust skip/error handling, reporting more details (Closes: #498326).
+ - pull version when building instead of being hard-coded.
+ * debian/rules: use an orig.tar.gz since the blacklist files themselves
+ are static, to save space in the archive.
+ * test.sh: added mixed good/bad testing.
+
+ [ Jamie Strandboge ]
+ * update openssl-vulnkey to use GPL version 3 as specified in
+ debian/copyright.
+ * test.sh: add non-existent file and permission denied tests, as well
+ as small cleanups
+ * openssl-vulnkey:
+ - exit with status '2' when errors are encountered (ie leave '1' for when
+ a bad modulus is found)
+ - be consistent with error reporting
+
+ -- Kees Cook <kees@debian.org> Wed, 08 Apr 2009 11:49:49 -0700
+
+openssl-blacklist (0.4.2) unstable; urgency=low
+
+ * Add openssl to the Build-Deps, since it is required for the tests.
+
+ -- Kees Cook <kees@outflux.net> Tue, 17 Jun 2008 15:27:38 -0700
+
+openssl-blacklist (0.4.1) unstable; urgency=low
+
+ [ Jamie Strandboge ]
+ * add RSA-4096 blacklist for le64
+ * install RSA-4096 blacklist
+ * don't send STDERR to STDOUT as this may interfere with obtaining the
+ modulus with long bits
+
+ [ Kees Cook ]
+ * debian/rules:
+ - add new examples (using wildcards)
+ - include run of internal tests during build
+ * debian/control: bump to standards version 3.8.0 (no changes needed)
+
+ -- Kees Cook <kees@outflux.net> Mon, 16 Jun 2008 11:48:09 -0700
+
+openssl-blacklist (0.4) unstable; urgency=low
+
+ * allow checking of certificate requests
+ * only check moduli with an exponent of 65537 (the default on Debian/Ubuntu)
+ * update gen_certs.sh for when ~/.rnd does not exist when openssl is run
+ which can happen with openssl 0.9.8g and higher
+ * update gen_certs.sh to use '0' (in case of PID randomization)
+ * added more examples
+ * only prompt once for password (Closes: #483500)
+ * properly cache database reads when bits are same
+ * added '-m' and '-b' arguments. This is helpful for applications calling
+ openssl-vulnkey when the modulus and bits are known, such as openvpn.
+ * man page updates
+ * added test.sh
+ * added blacklists for when ~/.rnd does not exist when openssl is run
+ (LP: #232104)
+ * added 512 bit and partial 4096 blacklists (need le64) (LP: #231014)
+ * reorganized source databases, and ship the new gen_certs.sh format
+ * debian/rules: updated to use new blacklist format and organization
+ * create openssl-blacklist-extra package (but don't ship 4096 yet)
+
+ -- Jamie Strandboge <jamie@ubuntu.com> Tue, 10 Jun 2008 09:09:48 -0400
+
+openssl-blacklist (0.3.2) unstable; urgency=low
+
+ * debian/{rules,dirs,openssl-blacklist.install}: move openssl-vulnkey to
+ /usr/bin (Closes: #482435).
+ * examples/gen_certs.sh:
+ - test for fixed libssl versions (Closes: #483310).
+ - correctly skip pre-existing PEM files, thanks to Michel Meyers
+ (Closes: #483542).
+ - skip invalid pid 32768.
+ * openssl-vulnkey: allow reading from stding, based on patch from
+ Daniel Kahn Gillmor (Closes: #482427).
+ * debian/control: swap maintainer so Ubuntu syncs do not get confused.
+
+ -- Kees Cook <kees@outflux.net> Thu, 29 May 2008 15:19:16 -0700
+
+openssl-blacklist (0.3.1) unstable; urgency=low
+
+ * openssl-vulnkey: fix typo in manpage.
+ * debian/control: add Vcs details, adjust uploaders line.
+ * debian/rules: switch to using dh_installexamples.
+
+ -- Kees Cook <kees@outflux.net> Wed, 28 May 2008 13:25:46 -0700
+
+openssl-blacklist (0.3) unstable; urgency=low
+
+ * Initial Debian release (keeping changelog for clarity), Closes: #482047.
+
+ -- Kees Cook <kees@outflux.net> Wed, 21 May 2008 03:58:17 -0700
+
+openssl-blacklist (0.2) intrepid; urgency=low
+
+ * update openssl-vulnkey to also check x509 certificates, with corresponding
+ manpage update
+ * support 512, 4096 and 8192 databases
+ * don't exit if can't open the database (this way databases can optionally be
+ added
+ * publish complete RSA-1024 and RSA-2048 blacklist for all available
+ architectures on Ubuntu
+ * fix manpage typos
+ * debian/control: use net/optional
+ * use python-central and follow DebianPython/NewPolicy
+ * added get_certs.sh and getpid.c
+
+ -- Jamie Strandboge <jamie@ubuntu.com> Fri, 16 May 2008 08:32:13 -0400
+
+openssl-blacklist (0.1-0ubuntu0.8.04.2) hardy-security; urgency=low
+
+ * openssl-vulnkey:
+ - Don't exit if the key cannot be parsed.
+ - Don't fail if stderr is not available. (LP: #230193)
+
+ -- Mathias Gug <mathiaz@ubuntu.com> Wed, 14 May 2008 14:24:07 +0200
+
+openssl-blacklist (0.1-0ubuntu0.8.04.1) hardy-security; urgency=low
+
+ * no change rebuild for -security
+
+ -- Jamie Strandboge <jamie@ubuntu.com> Tue, 13 May 2008 04:02:50 -0400
+
+openssl-blacklist (0.1) unstable; urgency=low
+
+ * Initial release.
+
+ -- Jamie Strandboge <jamie@ubuntu.com> Fri, 12 May 2008 15:44:32 -0400
+
--- openssl-blacklist-0.5.orig/debian/README.Debian
+++ openssl-blacklist-0.5/debian/README.Debian
@@ -0,0 +1,13 @@
+openssl-blacklist for Debian
+----------------------------
+
+This package contains a set of default OpenSSL keys that were known to
+have been generated during the time when the Debian OpenSSL package had a
+broken Random Number Generator.
+
+The source package contains the full fingerprint of the moduli of the
+vulnerable keys in the blacklists/ directory. The installed package uses a
+partial fingerprint for identifying the keys by stripping off the first 20
+bytes of the checksum.
+
+ -- Jamie Strandboge <jamie@ubuntu.com> Fri, 12 May 2008 15:44:32 -0400
--- openssl-blacklist-0.5.orig/debian/openssl-blacklist-extra.install
+++ openssl-blacklist-0.5/debian/openssl-blacklist-extra.install
@@ -0,0 +1,2 @@
+usr/share/openssl-blacklist/blacklist.RSA-512
+usr/share/openssl-blacklist/blacklist.RSA-4096
--- openssl-blacklist-0.5.orig/debian/source/format
+++ openssl-blacklist-0.5/debian/source/format
@@ -0,0 +1 @@
+1.0
![[patchlogo]](http://patch-tracker.debian.org/static/img/swirlpatch.png)