PKCS encryption schema
Simon Josefsson
simon at josefsson.org
Fri Sep 25 10:14:52 CEST 2009
tangtong <tang__tong at hotmail.com> writes:
> Hi,
> I meet some question when I display an encrypted key info created by openssl. The following steps show the scenario:
> openssl genrsa -des3 -out key1.pem
> openssl pkcs8 -topk8 -in key1.pem -out key2.pem
> certtool -k --infile key2.pem
> |<1>| PKCS encryption schema OID '1.2.840.113549.1.5.3' is unsupported.
> certtool: import error: The cipher type is unsupported.
That is pbeWithMD5AndDES-CBC. Both MD5 and DES are broken, so I'm not
sure it is worthwhile to support it. Try the -v2 parameter to openssl
pkcs8, although I'm not sure what the string for any strong cipher would
be.
I would accept a patch that made GnuTLS read files on this format (but
make sure it can't generate them).
/Simon
>
> I double check the source codes, it is found only the following schema are supported for a pkcs8 key for gnutls:
> PKCS12_PBE_3DES_SHA1_OID "1.2.840.113549.1.12.1.3"
> PKCS12_PBE_ARCFOUR_SHA1_OID "1.2.840.113549.1.12.1.1"
> PKCS12_PBE_RC2_40_SHA1_OID "1.2.840.113549.1.12.1.6"
> PBES2_OID "1.2.840.113549.1.5.13"
>
> Only the last one is for PKCS5 schema. According to PKCS8 specification, PKCS8's encryption algorithm is based on PKCS5's encryption schema. I am not sure if this means gnutls dones't fully support PKCS5 and my understanding about PKCS8 and PKCS5 is right or not.
>
>
> Regards
>
>
>
> _________________________________________________________________
> 上Windows Live 中国首页,下载最新版Messenger!
> http://www.windowslive.cn_______________________________________________
> Help-gnutls mailing list
> Help-gnutls at gnu.org
> http://lists.gnu.org/mailman/listinfo/help-gnutls
More information about the Gnutls-help
mailing list