gnutls_x509_privkey_import_openssl

Fri Oct 12 13:47:08 CEST 2012

On Wed, 10 Oct 2012 20:16:34 +0200
Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:

> On 10/09/2012 11:18 PM, MK wrote:

> > I just started using gnuTLS, and one of the first things I needed
> > to do was incorporate a certificate with encrypted key generated by
> > openSSL. This seemed like a very simple task, here's a minimal
> > reproduction of the technique I used to decrypt the original key:
> 
> Ouch. It seems there was a bug in the openssl key import. I've
> committed a fix and added a test case:
> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=f16ef39ef0303b02d7fa590a37820440c466ce8d
> 
> Could you try whether this solves the issue you see?

I did, but no such luck.   Since this certificate isn't used online
now, I can give you the offending key:

This was generated by openssl.

Here's an interesting thing; there was a tiny discrepancy in the patch
which made it fail on tests/Makefile.am:

-	 mini-dtls-heartbeat mini-x509-callbacks
+	 mini-dtls-heartbeat mini-x509-callbacks key-openssl

In my 3.1.2 tarball, that line is just "mini-dtls-heartbeat", so I
added the "mini-x509-callbacks".  However, make check then failed with:

make[3]: *** No rule to make target `mini-x509-callbacks.c', needed by
`mini-x509-callbacks.o'.  Stop.

I don't have much experience with autotools, so I tried a couple other
guesses but could not get it to apply.  Sorry.

> In general try to avoid the custom openssl format. The PKCS #8 format
> is standardized and can be handled by more tools.

Absolutely.  It's actually not necessary for me to incorporate the
openssl import, so no problem (for me, at least...).

MK

> 
> regards,
> Nikos
> 

-- 
"Enthusiasm is not the enemy of the intellect." (said of Irving Howe)
"The angel of history[...]is turned toward the past." (Walter Benjamin)