RSA Key Validator

The RSA Key Validator inspects RSA key parameters and validates key quality beyond key length and size. This key validator can enforce the CA/B-Forum requirements (CA/B Forum Baseline requirements version 1.4.2 section 6.1.6), including FIPS 186-4 and NIST (SP 800-89 and NIST SP 56A: Revision 2), on RSA public keys, and also have options to perform the following tests on the RSA exponent and modulus:

• That the value of the public exponent is an odd number equal to 3 or more.

• That the public exponent is in the range between 2^16+1 and 2^256-1.

• That the modulus is an odd number, not the power of a prime, and have no factors smaller than 752.

• That the public key is not a ROCA weak key (CVE-2017-15361).

ECC Key Validator

The ECC Key validator inspects the full public key validation (NIST SP 56A) routine on ECC keys.

Block List Key Validator

This validator compares public keys against a block list of known bad public keys, such as weak Debian keys.

The public key block listed entries can be added using the CLI:

where the directory contains public key files in PEM format. If you have a list of PEM formatted private keys, you can create the public key entries, and CSRs to test with using these commands:

You can import a block list fingerprint file (a file with one block list fingerprint per line) with:

Fingerprints are:

• RSA keys, the SHA-256 hash of the RSA key modulus bytes (ignoring the fixed value e).

• ECDSA keys, the SHA-256 hash of the binary public key encoding (SubjectPublicKeyInfo).

To import one of the lists of weak Debian keys provided by the Debian maintainers, use --mode debianfingerprint.

You can also remove fingerprints using the fingerprint file:

For more information on Debian weak key checks, see Post Processing Validators.