Possible bug in pkcs8 import
David Marín Carreño
davefx at gmail.com
Thu Oct 23 08:19:29 CEST 2008
Hi all again.
2008/10/22 Nikos Mavrogiannopoulos <nmav at gnutls.org>:
> David Marín Carreño wrote:
>> Hi all.
>> I am developing PKCS#8 import in gnoMint (http://gnomint.sf.net).
>> For testing what are the error codes obtained while probing the type
>> of a given file, I have developed a little program that tries to
>> import a given file as a PEM-codified crypted and unencrypted PKCS8
>> file, and the same with DER format.
>> The problem is that I am not able to import any PKCS#8 file, crypted
>> or unencrypted, DER or PEM. I have generated these PKCS#8 (attached)
>> files using gnutls (test-pem-crypt.pkcs8), openssl
>> (test-pem-uncrypt.pkcs8, and both test-der-*.pkcs8), and certtool
>> I am obtaining -207 (GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) while
>> trying to import a DER file as a PEM file, which is correct. But all
>> other combinations always result with an error -67
> It seems certtool cannot handle not encrypted PKCS #8 files properly.
> Moreover if run with -d 2 I can see that
> |<1>| PKCS encryption schema OID '1.2.840.1135184.108.40.206' (DES-CBC) is
> How did you encrypted this key?
The file test-pem-crypt.pkcs8 was created with libgnutls, with the function
gnutls_x509_privkey_export_pkcs8 (key, GNUTLS_X509_FMT_PEM, "lalalala",
"key" is a private DSA key, also generated with libgnutls.
The file test-pem-crypt2048.pkcs8 was created with certtool, with the
certtool -8 -p > test-pem-crypt2048.pkcs8
The other files were created with openssl, importing test-pem-crypt.pkcs8
and exporting it into other formats.
>> Could anyone help me? Is the problem in the PKCS8 files, in my test
>> program, or in gnutls?
> It seems it's a combination of certtool issues and gnutls not supporting
> DES-CBC for PKCS #8.
But it seems to support it while generating PKCS#8 files...
David Marín Carreño
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel