Possible bug in pkcs8 import

David Marín Carreño davefx at gmail.com
Thu Oct 23 08:19:29 CEST 2008


Hi all again.
2008/10/22 Nikos Mavrogiannopoulos <nmav at gnutls.org>:
> David Marín Carreño wrote:
>> Hi all.
>>
>> I am developing PKCS#8 import in gnoMint (http://gnomint.sf.net).
>>
>> For testing what are the error codes obtained while probing the type
>> of a given file, I have developed a little program that tries to
>> import a given file as a PEM-codified crypted and unencrypted PKCS8
>> file, and the same with DER format.
>>
>> The problem is that I am not able to import any PKCS#8 file, crypted
>> or unencrypted, DER or PEM. I have generated these PKCS#8 (attached)
>> files using gnutls (test-pem-crypt.pkcs8), openssl
>> (test-pem-uncrypt.pkcs8, and both test-der-*.pkcs8), and certtool
>> (test-pem-crypt2048.pkcs8).
>>
>> I am obtaining -207 (GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) while
>> trying to import a DER file as a PEM file, which is correct. But all
>> other combinations always result with an error -67
>> (GNUTLS_E_ASN1_ELEMENT_NOT_FOUND).
>
> It seems certtool cannot handle not encrypted PKCS #8 files properly.
> Moreover if run with -d 2 I can see that
> |<1>| PKCS encryption schema OID '1.2.840.113549.1.5.3' (DES-CBC) is
> unsupported.
>
> How did you encrypted this key?
>

The file test-pem-crypt.pkcs8 was created with libgnutls, with the function
gnutls_x509_privkey_export_pkcs8:

gnutls_x509_privkey_export_pkcs8 (key, GNUTLS_X509_FMT_PEM, "lalalala",
                                  GNUTLS_PKCS_USE_PKCS12_3DES, buffer,
                                  &buffer_len)

"key" is a private DSA key, also generated with libgnutls.

The file test-pem-crypt2048.pkcs8 was created with certtool, with the
command options:

certtool -8 -p > test-pem-crypt2048.pkcs8

The other files were created with openssl, importing test-pem-crypt.pkcs8
and exporting it into other formats.

>> Could anyone help me? Is the problem in the PKCS8 files, in my test
>> program, or in gnutls?
>
> It seems it's a combination of certtool issues and gnutls not supporting
>  DES-CBC for PKCS #8.
>

But it seems to support it while generating PKCS#8 files...

> regards,
> Nikos
>

Best regards,

-- 
David Marín Carreño
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081023/f44ce107/attachment.htm>


More information about the Gnutls-devel mailing list