-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkey: Use openssl generated pkcs8 key instead #830
Conversation
This is interesting. The I've looked at a few RFCs that use
I didn't know there was such a difference between OpenSSL and GnuTLS, but I wonder if this might have accidentally revealed an edge case not considered in AWS-LC/BoringSSL if they don't parse it.
I think it's the command @junaruga used to generate the current PEM block in #790. I tried with certtool from GnuTLS 3.8.8 and it used the same PBES2 parameters with AES. I imagine it could depend on the GnuTLS's version and other variables. |
Yeah you’re absolutely right, I was misusing an older version of GnuTLS and looking at an older revision of it as well. Later versions past 3.7.3 changed the defaults to be AES-128 with HMAC-SHA256 instead. Sorry for the confusion there. |
Thanks for sharing the multiple RFCs that use
This was taken from RFC5754, Section 1, but a similar definition can be found in RFC8017's and RFC8018’s Appendix C. One thing I'd like to add is that I think For
Unfortunately the RFC does not specify the same for other Sidenote: I did find this interesting newer RFC9579 that was meant to be an amendment upon RFC8018. Appendix B in this RFC does have examples where other |
It's a good point that RFC 8018 uses the exact same wording "SHALL have type [...]" for other Even if they are from different contexts, both RFC 8018 and PKCS#1v2.2/RFC 8017 were by the same authors and published at almost the same time. RFC 8017 uses a similar but slightly different wording "SHALL have a value of type [...]" to describe Digging it a bit, it turned out not to be the case. Older versions of PKCS#1 also used "SHALL have type [...]" throughout the document, but PKCS#1v2.1/RFC 3447 clarified it to "SHALL have a value of type [...]". PKCS#5 simply didn't pick up this change. GnuTLS also seems to be going to change the behavior: https://gitlab.com/gnutls/gnutls/-/merge_requests/1912 |
Thanks for the research and fixing it! |
In the
test_private_encoding_encrypted
test, we have a rsa private key pem file that was generated withcerttool
. I'm not entirely sure if the command that was used to generated the file was correct though. Dumping out the ASN.1 contents of this file indicates that this file was generated with an additional--pkcs-cipher=aes-128
. When I try running the same command as the documentation indicates, the pem file would be encrypted with the default3des-pkcs12
instead.der2ascii -pem -i rsa.pem > rsa.txt
.The commentary above is fairly minor. The larger issue is that certtool's generated pkcs8 files aren't entirely consistent with RFC8018 Appendix A.2. certtool's PKCS8 private keys have a missing
NULL
field that should be paired with the Algorithm ID when using PBKDF2-PRF. OpenSSL doesn't seem to notice this, although this does fail with stricter parsers that explicitly check the field. I've cut an issue to GnuTLS regarding this, but it would be awesome if we could use a key file that's consistent with RFC guidelines for now instead.OpenSSL's generated PKCS8 keys don't have the same issue described, so I've replaced the key file for an OpenSSL generated command along with the command I used to generate.