Possible bug in pkcs8 import

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Oct 22 20:57:55 CEST 2008

David Marín Carreño wrote:
> Hi all.
> I am developing PKCS#8 import in gnoMint (http://gnomint.sf.net).
> For testing what are the error codes obtained while probing the type
> of a given file, I have developed a little program that tries to
> import a given file as a PEM-codified crypted and unencrypted PKCS8
> file, and the same with DER format.
> The problem is that I am not able to import any PKCS#8 file, crypted
> or unencrypted, DER or PEM. I have generated these PKCS#8 (attached)
> files using gnutls (test-pem-crypt.pkcs8), openssl
> (test-pem-uncrypt.pkcs8, and both test-der-*.pkcs8), and certtool
> (test-pem-crypt2048.pkcs8).
> I am obtaining -207 (GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) while
> trying to import a DER file as a PEM file, which is correct. But all
> other combinations always result with an error -67

It seems certtool cannot handle not encrypted PKCS #8 files properly.
Moreover if run with -d 2 I can see that
|<1>| PKCS encryption schema OID '1.2.840.113549.1.5.3' (DES-CBC) is

How did you encrypted this key?

> Could anyone help me? Is the problem in the PKCS8 files, in my test
> program, or in gnutls?

It seems it's a combination of certtool issues and gnutls not supporting
 DES-CBC for PKCS #8.


More information about the Gnutls-devel mailing list