[Help-gnutls] About Future Plans: Private keys encrypted.

Fran e_agf at yahoo.es
Wed Nov 16 01:52:26 CET 2005 

      * You can both encrypt and decrypt pkcs8 keys in gnutls. The only
        limitation is 
      * that pkcs8 2.0 is supported and not previous versions.

Well, But encryption of key file with password do not work for me,
always exports the key as plain. I used 2,4,8,16 types.
I can not understand very well the man pages, and why the key do not is
saved as encrypted.
In the code exposed is the same put GNUTLS_PKCS_PLAIN or
GNUTLS_PKCS_USE_PKCS12_RC2_40, etc.
I can not understand it. 

Regards.

        Import:
>         This function will convert the given DER or PEM encoded PKCS8 2.0 encrypted key to the native  gnutls_x509_privkey_t  format.  The
>                output will be stored in key.  Currently only RSA keys can be imported, ->>> and flags can only be used to indicate an unencrypted key.
        Export:
>          This function will export the private key to a PKCS8 structure.  Currently only RSA keys can be exported since there is  no  docu-
>                mented standard for other keys. If the flags do not specify the encryption cipher, then the default 3DES (PBES2) will be used.
        
> /* 
> GNUTLS_PKCS_PLAIN = 1,        
> GNUTLS_PKCS_USE_PKCS12_3DES = 2, 
> GNUTLS_PKCS_USE_PKCS12_ARCFOUR = 4, 
> GNUTLS_PKCS_USE_PKCS12_RC2_40 = 8, 
> GNUTLS_PKCS_USE_PBES2_3DES = 16 
> */
> 
>           size = sizeof (buffer);
>           if (ret = gnutls_x509_privkey_export_pkcs8 (key, out_cert_format, passwd, /*flags*/GNUTLS_PKCS_USE_PKCS12_RC2_40
>  , buffer, &size), ret < 0)
>             {
>               fprintf (stderr, "privkey_export_pkcs8: %s\n", gnutls_strerror (ret));
>               exit (1);
>             }
>         };
>     }
> 
> 
> 
>   {
>     FILE *file;
>     file = fopen ("new-user.key", "w");
>     fwrite (buffer, 1, size, file);    /* Always is plain */
>     fclose (file);
>   };


On Mar, 2005-11-15 at 23:16 +0100, Nikos Mavrogiannopoulos wrote:
> On Tuesday 15 November 2005 20:52, Fran wrote:
> > Hello,
> > I can see that certtool do not encrypt keys and not support some keys
> > generated with openssl (encrypted).
> > I can see :
> > > int gnutls_x509_privkey_import_pkcs8:
> > >  This  function  will convert the given DER or PEM encoded PKCS8 2.0
> > > encrypted key to the native gnutls_x509_privkey_t format. The output will
> > > be stored in key.  Currently only RSA keys can be imported, and flags can
> > > only be used to indicate an unencrypted key.
> > I think that this is a very high risk security problem for applications
> > that use a file key.
> 
> You can both encrypt and decrypt pkcs8 keys in gnutls. The only limitation is 
> that pkcs8 2.0 is supported and not previous versions.
> 
> 
-- 

Fco. J.

More information about the Gnutls-help mailing list