generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

PKCS#8 support for alternative PRFs.

Browse Source 
Add option to set an alternative to the default hmacWithSHA1 PRF
for PKCS#8 private key encryptions. This is used automatically
by PKCS8_encrypt if the nid specified is a PRF.

Add option to pkcs8 utility.

Update docs.
This commit is contained in:
Dr. Stephen Henson 2014-02-28 17:23:54 +00:00
parent 124d218889
commit b60272b01f
3 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
apps/pkcs8.c
View File

@ -135,6 +135,22 @@ int MAIN(int argc, char **argv)
else else
badarg = 1; badarg = 1;
} }
else if (!strcmp(*args,"-v2prf"))
{
if (args[1])
{
args++;
pbe_nid=OBJ_txt2nid(*args);
if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0))
{
BIO_printf(bio_err,
"Unknown PRF algorithm %s\n", *args);
badarg = 1;
}
}
else
badarg = 1;
}
else if (!strcmp(*args,"-inform")) else if (!strcmp(*args,"-inform"))
{ {
if (args[1]) if (args[1])

11
crypto/pkcs12/p12_p8e.c
View File

@ -73,8 +73,15 @@ X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
goto err; goto err;
} }
if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen); if(pbe_nid == -1)
else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen); pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
else if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0))
pbe = PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, pbe_nid);
else
{
ERR_clear_error();
pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
}
if(!pbe) { if(!pbe) {
PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB); PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
goto err; goto err;

12
doc/apps/pkcs8.pod
View File

@ -20,6 +20,7 @@ B<openssl> B<pkcs8>
[B<-embed>] [B<-embed>]
[B<-nsdb>] [B<-nsdb>]
[B<-v2 alg>] [B<-v2 alg>]
[B<-v2prf alg>]
[B<-v1 alg>] [B<-v1 alg>]
[B<-engine id>] [B<-engine id>]
@ -118,6 +119,12 @@ private keys with OpenSSL then this doesn't matter.
The B<alg> argument is the encryption algorithm to use, valid values include The B<alg> argument is the encryption algorithm to use, valid values include
B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used. B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.
=item B<-v2prf alg>
This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value
values would be B<hmacWithSHA256>. If this option isn't set then the default
for the cipher is used or B<hmacWithSHA1> if there is no default.
=item B<-v1 alg> =item B<-v1 alg>
This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
@ -195,6 +202,11 @@ DES:
openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
Convert a private from traditional to PKCS#5 v2.0 format using AES with
256 bits in CBC mode and B<hmacWithSHA256> PRF:
openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA256 -out enckey.pem
Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
(DES): (DES):