gnutls_x509_privkey_import_openssl

MK mk at cognitivedissonance.ca
Fri Oct 12 13:47:08 CEST 2012


On Wed, 10 Oct 2012 20:16:34 +0200
Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:

> On 10/09/2012 11:18 PM, MK wrote:

> > I just started using gnuTLS, and one of the first things I needed
> > to do was incorporate a certificate with encrypted key generated by
> > openSSL. This seemed like a very simple task, here's a minimal
> > reproduction of the technique I used to decrypt the original key:
> 
> Ouch. It seems there was a bug in the openssl key import. I've
> committed a fix and added a test case:
> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=f16ef39ef0303b02d7fa590a37820440c466ce8d
> 
> Could you try whether this solves the issue you see?

I did, but no such luck.   Since this certificate isn't used online
now, I can give you the offending key:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,796F30DEA7F15E31

hBun6pD+9XVA4XoHZ58k339vRvJpT/7nCx0/TInkbxSLyGY/WPAeyRdiF/UGQOl9
04RDRrvilarqVk/DaLCzyrUv2bGtTPcvD3SK5lfoqqz+1ASBFyfNn9pQ0LNIfF7S
l55bZgTAYGxgQgCTJeAF9rfVu2kCMLVJbyvOfDf3a+h+PeDTyQheszOams5EWlv9
nXJbzGwYmok4ifGP3iIDvIxDbPCbbrbaK7fUY2NdXQeXm1A6098hHnifTjAzI3kQ
4k8+fuAuyLdwobom6fdHxGwQyUvKoxfjReOf1qE7O8bvVJ6fSolP2sxyLRlmt9K5
cOtEh1yS8FMSK8Rt3URv8Bc+swfemMGObh7MgICCas+0NYdejFNA9ODBxrIqxMs7
H5iMJBHQZ9hV34C0qmpyb+BbkRf9xurrfg9ORZjPZ6YuEKsew+oOvlnzi/Q/nB0g
lPwAZLjfoS2Osn9dtKFy3JC/i2IfnyKsoUP+zgJG+rOVUllpeL0w1O6wZ9CTudAB
P9jWTuIhyWi9RhBTKnqN+aI1/Tn1V7GSnD9G6mQR4uQ3JXSFBnfn7Mr9c+p9Vcnb
2zJ3f4+szAu63Iklnq1tK4LFbhFmxuohe6jdEQiAlnp//aelok/m4bYXhMIuuVK1
cOWxCUV3z+5+s4txGohM/88Z1VGF2E0Twrignthov1epFQoZY9bAW9Px+6RwaFhd
EMVayEPz+nwO8WepBArOVUpRzmH6pyo23NxZBQHVVW3ovyo48PTRKPNlN/aBtdC4
4l3xaS0zYVmW7j0txz+hkQSgkUsI6M0tuFKOkn4ue6g=
-----END RSA PRIVATE KEY-----

This was generated by openssl.

Here's an interesting thing; there was a tiny discrepancy in the patch
which made it fail on tests/Makefile.am:

-	 mini-dtls-heartbeat mini-x509-callbacks
+	 mini-dtls-heartbeat mini-x509-callbacks key-openssl

In my 3.1.2 tarball, that line is just "mini-dtls-heartbeat", so I
added the "mini-x509-callbacks".  However, make check then failed with:

make[3]: *** No rule to make target `mini-x509-callbacks.c', needed by
`mini-x509-callbacks.o'.  Stop.

I don't have much experience with autotools, so I tried a couple other
guesses but could not get it to apply.  Sorry.

> In general try to avoid the custom openssl format. The PKCS #8 format
> is standardized and can be handled by more tools.

Absolutely.  It's actually not necessary for me to incorporate the
openssl import, so no problem (for me, at least...).

MK

> 
> regards,
> Nikos
> 


-- 
"Enthusiasm is not the enemy of the intellect." (said of Irving Howe)
"The angel of history[...]is turned toward the past." (Walter Benjamin)





More information about the Gnutls-help mailing list