Possible bug in pkcs8 import

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Oct 23 15:57:13 CEST 2008

David Marín Carreño wrote:
> Hi all again.
> 2008/10/22 Nikos Mavrogiannopoulos <nmav at gnutls.org>:
>> David Marín Carreño wrote:
>>> Hi all.
>>> I am developing PKCS#8 import in gnoMint (http://gnomint.sf.net).
>>> For testing what are the error codes obtained while probing the type
>>> of a given file, I have developed a little program that tries to
>>> import a given file as a PEM-codified crypted and unencrypted PKCS8
>>> file, and the same with DER format.
>>> The problem is that I am not able to import any PKCS#8 file, crypted
>>> or unencrypted, DER or PEM. I have generated these PKCS#8 (attached)
>>> files using gnutls (test-pem-crypt.pkcs8), openssl
>>> (test-pem-uncrypt.pkcs8, and both test-der-*.pkcs8), and certtool
>>> (test-pem-crypt2048.pkcs8).
>>> I am obtaining -207 (GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) while
>>> trying to import a DER file as a PEM file, which is correct. But all
>>> other combinations always result with an error -67
>> It seems certtool cannot handle not encrypted PKCS #8 files properly.
>> Moreover if run with -d 2 I can see that
>> |<1>| PKCS encryption schema OID '1.2.840.113549.1.5.3' (DES-CBC) is
>> unsupported.
>> How did you encrypted this key?
> The file test-pem-crypt.pkcs8 was created with libgnutls, with the function
> gnutls_x509_privkey_export_pkcs8:
> gnutls_x509_privkey_export_pkcs8 (key, GNUTLS_X509_FMT_PEM, "lalalala",
>                                   GNUTLS_PKCS_USE_PKCS12_3DES, buffer,
>                                   &buffer_len)
> "key" is a private DSA key, also generated with libgnutls.
> The file test-pem-crypt2048.pkcs8 was created with certtool, with the
> command options:
> certtool -8 -p > test-pem-crypt2048.pkcs8
> The other files were created with openssl, importing test-pem-crypt.pkcs8
> and exporting it into other formats.

Wait. I though all the files were just the same encoded under different
formats. Please explain which files fail for you and what is the error
message you get with -d 2. I suppose you use certtool -k -8 to print the

If you use the latest version from the git repository are your issues
solved? (I committed a fix for certtool to decode decrypted pkcs8 files).

>>> Could anyone help me? Is the problem in the PKCS8 files, in my test
>>> program, or in gnutls?
>> It seems it's a combination of certtool issues and gnutls not supporting
>>  DES-CBC for PKCS #8.
> But it seems to support it while generating PKCS#8 files...
It doesn't. gnutls doesn't support this algorithm, and the issues you
encounter in the files you attached are different since they are totally
different files. Please explain what issues you see and with which files.


More information about the Gnutls-devel mailing list