Re: crypting of private keys in DER format

Tue, 7 Mar 2000 09:56:13 -0800 

Alexander 'Alfe' Fetke wrote:
> 
> Hi, everybody ...
> 
> I am looking for a way to produce an encrypted version of a private key
> stored in DER format.  The commandline tool 'openssl' just offers a way to
> produce encrypted keys stored in PEM format (at least according to the
> help text it gives out when abused).
> 
> I generated a key without passphrase in PEM format, then encrypted it (in
> PEM format) using a passphrase, then I translated the original (uncrypted)
> key to DER format.  I tried to generate a crypted version in DER format
> both from the uncrypted DER format version and from the crypted PEM format
> version, but both ways just produced a file which did not differ from the
> uncrypted DER format.
> 
> Questions:
> 
> - Is there something I don't know?  (e.g. a reason why DER files are never
>   crypted or similar, but I actually _have_ such a crypted DER file from
>   another source, and I need to produce one myself.)
> 
> - Does anybody know a tool to convert a PEM file to a DER file other than
>   the openssl commandline tool?  Where can I get such a tool?  I even
>   think that it should be possible to convert PEM to DER without knowledge
>   of the used passphrase.

The "traditional" SSLeay/OpenSSL encryption encrypted data using a
method that included various bits of essential data in the PEM headers.
This would allow any PEM data to be encrypted but was AFAIK unique, non
standard and wouldn't allow DER format encryption.

OpenSSL now support PKCS#8 private keys that include the encryption
details as part of the structure itself. They can exist in either DER or
PEM encrypted forms and have various support functions to read any write
them. Check out the pkcs8 application manual page. An application
wouldn't have to do things this way: check out the various DER+bio
functions with PKCS8 in their names for a friendlier interface.

One thing though. OpenSSL 0.9.5 has a bug which wont read PKCS#8 DSA
private keys, this is fixed in the latest snapshot.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to