diff --git a/mdx/_openssl_blacklists/compromised-2048.txt b/mdx/_openssl_blacklists/compromised-2048.txt new file mode 100644 index 00000000..dc152d35 --- /dev/null +++ b/mdx/_openssl_blacklists/compromised-2048.txt @@ -0,0 +1,15 @@ +# +# This is a list of known-compromised 2048-bit keys in OpenSSL format. +# +# Derive new values from a private key file as follows: +# +# openssl rsa -noout -modulus -in /tmp/key.pem | sha1sum | \ +# cut -d ' ' -f 1 | cut -c 21- +# +# You can also derive a new blacklist value from an X.509 certificate as follows: +# +# openssl x509 -noout -modulus -in /tmp/cert.pem | sha1sum | \ +# cut -d ' ' -f 1 | cut -c 21- +# +# Shibboleth IdP dummy key, shipped in 3.0.0-alpha1 release +959a1a153444578d010b diff --git a/mdx/common-beans.xml b/mdx/common-beans.xml index 31b300e1..47b4e23d 100644 --- a/mdx/common-beans.xml +++ b/mdx/common-beans.xml @@ -1052,8 +1052,8 @@ Compromised key blacklists. Again, don't need to check for keys below our minimum key size. - This currently means there are no compromised keys to check for. --> + diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml index bd9cfab4..f8ac9411 100644 --- a/mdx/uk/beans.xml +++ b/mdx/uk/beans.xml @@ -458,8 +458,8 @@ Compromised key blacklists. Again, don't need to check for keys below our minimum key size. - This currently means there are no compromised keys to check for. --> + diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml index 294733ee..d73497a7 100644 --- a/mdx/uk/verbs.xml +++ b/mdx/uk/verbs.xml @@ -321,8 +321,8 @@ Compromised key blacklists. Again, don't need to check for keys below our minimum key size. - This currently means there are no compromised keys to check for. --> + diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml index c5f5a995..03d84531 100644 --- a/mdx/validation-beans.xml +++ b/mdx/validation-beans.xml @@ -758,6 +758,19 @@ + + + + + + + + +