diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2014-02-28 17:23:54 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-03-01 23:14:08 +0000 |
commit | b60272b01fcb4f69201b3e1659b4f7e9e9298dfb (patch) | |
tree | fb0d3ea959e82f5e6f2f0e74c9bacfa677ca0dd3 | |
parent | 124d218889dfca33d277404612f1319afe04107e (diff) | |
download | openssl-new-b60272b01fcb4f69201b3e1659b4f7e9e9298dfb.tar.gz |
PKCS#8 support for alternative PRFs.
Add option to set an alternative to the default hmacWithSHA1 PRF
for PKCS#8 private key encryptions. This is used automatically
by PKCS8_encrypt if the nid specified is a PRF.
Add option to pkcs8 utility.
Update docs.
-rw-r--r-- | apps/pkcs8.c | 16 | ||||
-rw-r--r-- | crypto/pkcs12/p12_p8e.c | 11 | ||||
-rw-r--r-- | doc/apps/pkcs8.pod | 12 |
3 files changed, 37 insertions, 2 deletions
diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 7edeb179dd..dc9e1ef66f 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -135,6 +135,22 @@ int MAIN(int argc, char **argv) else badarg = 1; } + else if (!strcmp(*args,"-v2prf")) + { + if (args[1]) + { + args++; + pbe_nid=OBJ_txt2nid(*args); + if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) + { + BIO_printf(bio_err, + "Unknown PRF algorithm %s\n", *args); + badarg = 1; + } + } + else + badarg = 1; + } else if (!strcmp(*args,"-inform")) { if (args[1]) diff --git a/crypto/pkcs12/p12_p8e.c b/crypto/pkcs12/p12_p8e.c index bf20a77b4c..1adb969fc4 100644 --- a/crypto/pkcs12/p12_p8e.c +++ b/crypto/pkcs12/p12_p8e.c @@ -73,8 +73,15 @@ X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, goto err; } - if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen); - else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen); + if(pbe_nid == -1) + pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen); + else if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) + pbe = PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, pbe_nid); + else + { + ERR_clear_error(); + pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen); + } if(!pbe) { PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB); goto err; diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod index 84abee78f3..6901f1f3f2 100644 --- a/doc/apps/pkcs8.pod +++ b/doc/apps/pkcs8.pod @@ -20,6 +20,7 @@ B<openssl> B<pkcs8> [B<-embed>] [B<-nsdb>] [B<-v2 alg>] +[B<-v2prf alg>] [B<-v1 alg>] [B<-engine id>] @@ -118,6 +119,12 @@ private keys with OpenSSL then this doesn't matter. The B<alg> argument is the encryption algorithm to use, valid values include B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used. +=item B<-v2prf alg> + +This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value +values would be B<hmacWithSHA256>. If this option isn't set then the default +for the cipher is used or B<hmacWithSHA1> if there is no default. + =item B<-v1 alg> This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete @@ -195,6 +202,11 @@ DES: openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem +Convert a private from traditional to PKCS#5 v2.0 format using AES with +256 bits in CBC mode and B<hmacWithSHA256> PRF: + + openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA256 -out enckey.pem + Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm (DES): |