On Fri, Jul 03, 2009, Peter Lin wrote: > Thanks Dr. Henson. > > However still have problems: > > 1. what encryption method does PKCS#8 format allow ? I tried to use pkcs8 > to convert a unencrypted PEM key into PKCS#8 format, and it prompts me for > a > password. However, In the converted files I cannot find info like > "DEK-Info: > AES-128-CBC" as normal PKCS#5's header, but only a "-----BEGIN ENCRYPTED > PRIVATE KEY-----". Later I tried to read converted key with OpenSSL in FIPS > mode but got error. I guess it uses a FIPS_not_allowd encryption method. > Detailed steps are: > 1. openssl genrsa -out key.pem 2048 > 2. openssl pkcs8 -topk8 -in key.pem -out newkey.pem (enter a password > following prompt) > 3. openssl rsa -noout -text -in newkey.pem ( this works) > 4. OPENSSL_FIPS=1 openssl rsa -nouot -text -in newkey.pem ( got error > "digest.c(151): OpenSSL internal error, assertion failed: Digest update > previous FIPS forbidden algorithm error ignored") > > 2. I also try to write to a PKCS#8 with a AES-128 encryption method using > API , but the output is empty with header only. What step did I make it > wrong? > My code : PEM_write_PKCS8PrivateKey( fp, key, EVP_aes_128_cbc(), 0, 0, > callbackFunc, 0 ); > > Actually I am not fully understand the "transparently used". Could anyone > please explain a bit more? My target it to have a format with FIPS-valid > encryption and digest methods to store and read private RSA keys. Thank you > very much. >
The normal format of OpenSSL does *not* use PKCS#5 it is a custom format used since SSLeay. The format you saw is PKCS#5 and PKCS#8 the actual encryption used is part of the sructure and not in the PEM headers. You need the -v2 option as well so that: openssl pkcs8 -in key.pem -topk8 -out p8key.pem -v aes256 should work. However you shouldn't use keys created outside FIPS mode in FIPS mode. The "transparently used" comment refers to the fact that the usual private key encryption function such as PEM_write_PrivateKey() use FIPS approved algorithms automatically in FIPS mode. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
