On Wed, Jun 22, 2005, Nick G. wrote: > > WRT Apache I did verify that OpenSSL can read the keys I created using: > > openssl genrsa -out clr.rsa 1024 > then > openssl pkcs8 -v1 PBE-MD5-DES -in clr.rsa -topk8 -out enc.des.v1.pkcs8 > or > openssl pkcs8 -v2 des -in clr.rsa -topk8 -out enc.des.v2.pkcs8 > or > openssl pkcs8 -v2 des3 -in clr.rsa -topk8 -out enc.des3.v2.pkcs8 > > and that the output from the command you suggested above is identical > for all the keys but that Apache will not accept any of the encrypted > PKCS#8 versions (prompts for passphrase, but then claims the pass phrase > was bad no matter how many times I try to type it in correctly!). I will > report this as bug to them. >
They may be missing some calls to add the PBE algorithms. This is automatic if you call OpenSSL_add_all_algorithms() but needs to be handled if algorithms are being added manually. A meaningful error code would help too... > FYI, The new Java5 stuff will also croak when deciphering the v2 > algorithms claiming that it: "Cannot find any provider supporting > 1.2.840.113549.1.5.13" (1.2.etc is the OID for TripleDES, right?)<sigh> > No that's the PKCS#5 v2.0 OID. You'd expect that message if it didn't understand PKCS#5 v2.0. Unfortunately PKCS#5 v1.5 doesn't include any schemes for strong encryption because the algorithm only derives 128 bits of data (key+IV). You may have more luck with the PKCS#12 PBE algorithms: see the examples on the manual page to the pkcs8 utility for more info. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]