Hi, I'm reporting a very minor bug in the "openssl pkcs8" app code.
OpenSSL version: 0.9.6g (but this bug seems to be in other versions) OS: Solaris 2.7 (but this bug seems to happen with all OSs) Description: when creating a PKCS8 output file, openssl prompts twice for the encryption password. However, if you enter it incorrectly the second time, it reports an error but still creates the output file, encrypted with the password you typed first. Example: $ ls privkey.pem $ openssl pkcs8 -in privkey.pem -topk8 -out privkey.p8 Enter Encryption Password: <type a password> Verifying password - Enter Encryption Password: <type different password> Verify failure $ echo $? 0 $ ls privkey.p8 privkey.pem The reason is very simple -- in apps/pkcs8.c, when EVP_read_pw_string() is called, the return value from the function is ignored. Therefore, when the password fails verification, the app still creates the output file and returns an exit code of 0. This makes it difficult for a script to determine that an error occurred and take corrective action. The patch to apps/pkcs8.c is very trivial; here's a diff: 239c239 < EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1); --- > if (EVP_read_pw_string(pass, 50, "Enter Encryption >Password:", 1)) return (1); This causes openssl to exit with an error, which is easily detected and handled. Let me know if there's anything more that would help. Thanks, - Marc -- Marc VanHeyningen [EMAIL PROTECTED] Internet Security Architect Aventail http://www.aventail.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
