[openssl.org #643] Possible bug in -passin[out] fd:int argument form to openssl rsa

Wed, 11 Jun 2003 00:22:45 -0700 

Possible bug in OpenSSL 0.9.6h on Solaris 2.8 with /dev/urandom

The rsa command fails strangely when attempting to use
both -passin fd:<int> and -passout fd:<int> together.  My code was

openssl rsa -passin fd:5 -des3 -passout fd:7

and it was reencoding the key with a bad passphrase.  Changing to
use the /dev/fd syntax like this:

openssl rsa -passin file:/dev/fd/5 -des3 -passout file:/dev/fd/7

seems to have fixed the problem.  I think it might work OK as long
as you don't do both in and out with fd: because there are instances
of this in my code that do not break.

Here is my test program.  Make a private key encrypted by a pass
phrase of 12 copies of the letter a in file epk.pem then run:

=====

#! /bin/sh

# Try to figure out why the private key is being encrypted wrong

OPENSSL=/usr/local/openssl/current/bin/openssl

rm tpk.pem

perl -e '
$openssl="/usr/local/openssl/current/bin/openssl";
$^F = 99;
pipe KCR,KCW;
print KCW "bbbbb";
close KCW;
pipe KDR,KDW;
print KDW "aaaaaaaaaaaa";
close KDW;
exec $openssl." rsa -in epk.pem -passin fd:".fileno(KDR).
      " -des3 -passout fd:".fileno(KCR)." -out tpk.pem";
'
echo The pass phrase is bbbbb

$OPENSSL rsa -noout -text -in tpk.pem

=====

This seems to fail on the read of the input key, that is, trying
to decrypt the input with aaaaaaaaaaaa even though I expected it
to fail when doing the reincryption.  It gets:

read RSA key
unable to load key
1628:error:06065064:digital envelope routines:EVP_DecryptFinal:bad 
decrypt:evp_enc.c:277:
1628:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:455:
The pass phrase is bbbbb
tpk.pem: No such file or directory

Change the input key to aaaaa (five copies) and it works fine.
Think maybe overlap of the buffers for the two -fd: decodes???

This version, differing only in using file: instead of fd: works fine:

=====

#! /bin/sh

# Try to figure out why the private key is being encrypted wrong

OPENSSL=/usr/local/openssl/current/bin/openssl

rm tpk.pem

perl -e '
$openssl="/usr/local/openssl/current/bin/openssl";
$^F = 99;
pipe KCR,KCW;
print KCW "bbbbb";
close KCW;
pipe KDR,KDW;
print KDW "aaaaaaaaaaaa";
close KDW;
exec $openssl." rsa -in epk.pem -passin file:/dev/fd/".fileno(KDR).
      " -des3 -passout file:/dev/fd/".fileno(KCR)." -out tpk.pem";
'
echo The pass phrase is bbbbb

$OPENSSL rsa -noout -text -in tpk.pem

=====

-- 
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to