[Help-gnutls] About Future Plans: Private keys encrypted.
e_agf at yahoo.es
Wed Nov 16 01:52:26 CET 2005
* You can both encrypt and decrypt pkcs8 keys in gnutls. The only
* that pkcs8 2.0 is supported and not previous versions.
Well, But encryption of key file with password do not work for me,
always exports the key as plain. I used 2,4,8,16 types.
I can not understand very well the man pages, and why the key do not is
saved as encrypted.
In the code exposed is the same put GNUTLS_PKCS_PLAIN or
I can not understand it.
> This function will convert the given DER or PEM encoded PKCS8 2.0 encrypted key to the native gnutls_x509_privkey_t format. The
> output will be stored in key. Currently only RSA keys can be imported, ->>> and flags can only be used to indicate an unencrypted key.
> This function will export the private key to a PKCS8 structure. Currently only RSA keys can be exported since there is no docu-
> mented standard for other keys. If the flags do not specify the encryption cipher, then the default 3DES (PBES2) will be used.
> GNUTLS_PKCS_PLAIN = 1,
> GNUTLS_PKCS_USE_PKCS12_3DES = 2,
> GNUTLS_PKCS_USE_PKCS12_ARCFOUR = 4,
> GNUTLS_PKCS_USE_PKCS12_RC2_40 = 8,
> GNUTLS_PKCS_USE_PBES2_3DES = 16
> size = sizeof (buffer);
> if (ret = gnutls_x509_privkey_export_pkcs8 (key, out_cert_format, passwd, /*flags*/GNUTLS_PKCS_USE_PKCS12_RC2_40
> , buffer, &size), ret < 0)
> fprintf (stderr, "privkey_export_pkcs8: %s\n", gnutls_strerror (ret));
> exit (1);
> FILE *file;
> file = fopen ("new-user.key", "w");
> fwrite (buffer, 1, size, file); /* Always is plain */
> fclose (file);
On Mar, 2005-11-15 at 23:16 +0100, Nikos Mavrogiannopoulos wrote:
> On Tuesday 15 November 2005 20:52, Fran wrote:
> > Hello,
> > I can see that certtool do not encrypt keys and not support some keys
> > generated with openssl (encrypted).
> > I can see :
> > > int gnutls_x509_privkey_import_pkcs8:
> > > This function will convert the given DER or PEM encoded PKCS8 2.0
> > > encrypted key to the native gnutls_x509_privkey_t format. The output will
> > > be stored in key. Currently only RSA keys can be imported, and flags can
> > > only be used to indicate an unencrypted key.
> > I think that this is a very high risk security problem for applications
> > that use a file key.
> You can both encrypt and decrypt pkcs8 keys in gnutls. The only limitation is
> that pkcs8 2.0 is supported and not previous versions.
More information about the Gnutls-help