In my work on https://runtimeco.atlassian.net/browse/MCUB-87 I will be adding support for password protected private key files to MCUboot's image signing tool. I would also like to add this support to `newt` as well.
In order to support this protection, I will likely be moving from the current algorithm-specific "legacy" file formats for private keys to PKCS#8 (https://tools.ietf.org/html/rfc5958: Asymmetric Key Packages), which defines a key storage format that supports multiple algorithms. It also has a more modern and robust method of password protecting the files. As per the OpenSSL documentation: "newer applications should use the more secure PKCS#8 format...". For MCUboot's tool, I will likely convert the format of the key files to always be PKCS#8, effectively removing support for the legacy formats. There will be a documented `openssl` command that can be used to convert any keys between the different formats. My question for the mynewt list is whether it would be acceptable to change this key format within 'newt', or if we will continue needing to support the legacy file formats for some period of time. Thanks, David
