Backward compatibility of private key files?

Wed, 17 Mar 2010 12:16:56 -0700 

Using OpenSSL 1.0b5, I generated a self-signed CA certificate and then
created a key pair using commands like this:

openssl req -config ssl.cnf -newkey rsa:1024 -passout pass:password \
    -keyout key.pem -keyform PEM -out tmp/req.pem
openssl ca -config ssl.cnf -batch -in tmp/req.pem -out cert.pem \
    -cert cacert.pem -keyfile cakey.pem

When I try to load this key pair in a program built with OpenSSL 0.9.8m,
the call to SSL_CTX_use_PrivateKey_file fails with the following
error output:

6158:error:06074079:digital envelope
routines:EVP_PBE_CipherInit:unknown pbe
algorithm:evp_pbe.c:89:TYPE=PBES2
6158:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor
cipherinit error:p12_decr.c:83:
6158:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe
crypt error:p12_decr.c:123:
6158:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1
lib:pem_pkey.c:125:
6158:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
lib:ssl_rsa.c:669:

This error occurs regardless of whether I enter the correct password.
If I generate the key pair without password-protecting the key, the
program can load the key successfully.

I understand that OpenSSL 1.0 uses a different format for storing
private keys, but shouldn't earlier versions of OpenSSL still be able
to use such a key file?

Both OpenSSL 0.9.8m and 1.0b5 were compiled from source on
SLES 11 as follows:

./config threads shared --prefix=...

Here's the test program:

#include <stdio.h>
#include <openssl/err.h>
#include <openssl/ssl.h>

void handleError(const char* msg)
{
    int reason = ERR_GET_REASON(ERR_peek_error());
    fprintf(stderr, "%s: reason = %d\n", msg, reason);
    ERR_print_errors_fp(stderr);
    exit(1);
}

int main(int argc, char **argv)
{
    SSL_CTX* ctx;

    if(!SSL_library_init())
    {
        fprintf(stderr, "init failure\n");
        return 1;
    }
    SSL_load_error_strings();

    ctx = SSL_CTX_new(SSLv23_method());
    if(SSL_CTX_use_certificate_chain_file(ctx, "cert.pem") != 1)
    {
        handleError("error loading certificate");
    }
    if(SSL_CTX_use_PrivateKey_file(ctx, "key.pem", SSL_FILETYPE_PEM) != 1)
    {
        handleError("error loading key");
    }

    printf("Done\n");
    SSL_CTX_free(ctx);

    return 0;
}
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to