Hi,
I received some messages that there are problems with the conversion
from PKCS#8 to old SSLeay format and so I checked it. The result is the
following:
1. the bug is only present if you convert a PKCS#8-key to the old format
2. set the option -passout (we use env:outpwd)
3. internally the following function is used in apps/pkcs8.c:
PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
I searched the sources and find the following comment in
crypto/pem/pem_pk8.c
----------------------------------
As usual if 'enc' is NULL then it uses the unencrypted private key form.
----------------------------------
'enc' is the third argument!
This looks like a disaster because pkcs8 has no options -des, -des, -aes
etc. and there is no default. The result is an unencrypted private key
without any warning. The passphrase is simply ignored.
Do I something wrong or is this a real security bug? If it is a bug then
I strongly recommend a bugfix before 0.9.7-release even if it requires
some new options.
Best regards
Michael
--
-------------------------------------------------------------------
Michael Bell Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email: [EMAIL PROTECTED]
Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax: +49 (0)30-2093 2959
10099 Berlin
Germany http://www.openca.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
