Mailing List Archive

> Hi, can someone help me signing a nasl script?
> I know I have to use the "nasl -S" command, but I
> don't understand what's the right syntax and what's
> the key to use (the serverkey.pem one or what).
>

Self explanatory answers below...

a.) -S
=============
switch(i)
{
case 'S' :
if ( optarg == NULL ) {
usage();
exit(1);
}

nessus_SSL_init(NULL);
generate_signed_script(optarg);
exit(0);
break;


b.) generate_signed_script
===========================
/*
* Signs a given script
*/
int generate_signed_script(char * filename)
{
RSA * rsa = NULL;
FILE * fp = fopen(NESSUS_STATE_DIR "/nessus/nessus_org.priv.pem", "r");
unsigned char * result;
<..snip..>


The private key, "/nessus/nessus_org.priv.pem" is required which we dont
have ;-).. And thats why we get the error ...

open: No such file or directory



HTH,

-=skillz=-

Rather than set nasl_no_signature_check = yes,
and not being able to get the keyfiles to contain more than one key,
I built this patch which will allow for a second local keypair to be
used for plugin signatures.

Assuming install location /usr/local/nessus:

--- 1 KEY GENERATION and INSTALLATION ---

anon$ cat generate_and_install_local_cert.sh
#!/bin/bash
openssl genrsa -aes256 -f4 -out ./local_signing_key.priv.pem 4096
openssl rsa -pubout -in ./local_signing_key.priv.pem > local_signing_key.pem
cp local_signing_key.priv.pem local_signing_key.pem /usr/local/nessus/var/nessus
cd /usr/local/nessus/var/nessus
cp local_plugin_signing.key nessus_org.priv.pem
cd -


--- 2 PATCH FOR libnasl/nasl/nasl_crypto2.c ---

anon$ cat add_local_signing_key.patch
--- nasl_crypto2.c 2005-06-12 19:09:54.000000000 +0000
+++ nasl_crypto2.c 2005-06-13 00:30:41.137971416 +0000
@@ -873,7 +873,9 @@
char * t;
unsigned char md[SHA_DIGEST_LENGTH+1];
RSA * rsa = NULL;
+ RSA * rsa_local = NULL;
FILE * fp = fopen(NESSUS_STATE_DIR "/nessus/nessus_org.pem", "r");
+ FILE * fp_local = fopen(NESSUS_STATE_DIR
"/nessus/local_signing_key.pem", "r");
char sig[16384];
unsigned char bin_sig[8192];
int binsz = 0;
@@ -891,7 +893,11 @@


rsa = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL);
+ rsa_local = PEM_read_RSA_PUBKEY(fp_local, NULL, NULL, NULL);
+
fclose(fp);
+ fclose(fp_local);
+
if ( rsa == NULL ) return -1;

msg = map_file(filename, &msg_len);
@@ -924,11 +930,17 @@
if ( binsz >= sizeof(bin_sig) ) goto err; /* Too long signature */
}

-
-
res = RSA_verify(NID_sha1, md, SHA_DIGEST_LENGTH, bin_sig, binsz, rsa);
RSA_free(rsa);
efree(&msg);
+
+ /* if fail, attempt comparision with local key */
+ if ( res == 0 ) {
+ res = RSA_verify(NID_sha1, md, SHA_DIGEST_LENGTH, bin_sig,
binsz, rsa_local);
+ }
+
+ RSA_free(rsa_local);
+
return res == 1 ? 0 : 1;

err:


--- 3 UNINSTALL NESSUS AND NASL LIBS ---
/usr/local/nessus/sbin/uninstall-nessus
(make sure old versions of libnasl aren't lying around)
(check /usr/local/lib/ for libnasl* files)

--- 4 BUILD SEQUENCE W/ PATCH ---

anon$ cat buildnessus.sh
for x in libnasl-2.2.4 nessus-core-2.2.4 nessus-libraries-2.2.4
nessus-plugins-2.2.4
do echo "extracting $x"
tar zxf archives/$x.tar.gz
done

echo "extraction complete"
cd nessus-libraries
make distclean
./configure --prefix=/usr/local/nessus && make && make install
cd ../libnasl
echo "patching libnasl"
cd nasl
patch -p0 -u < ../../add_local_signing_key.patch
cd ..
make distclean
./configure --prefix=/usr/local/nessus && make && make install
cd ../nessus-core
make distclean
./configure --prefix=/usr/local/nessus && make && make install
cd ../nessus-plugins
make distclean
./configure --prefix=/usr/local/nessus && make && make install

--- 5 TEST LIBNASL ---

anon$ echo "exit(); " > test.nasl && nasl -p test.nasl
anon$ nasl -S test.nasl > test.signed.nasl
Enter PEM pass phrase:
anon$ nasl -p test.signed.nasl
anon$ echo "#foo" >> test.signed.nasl
anon$ nasl -p test.signed.nasl
test.signed.nasl: bad signature. Will not execute this script

--------------------------

HTH


anon