diff --git a/CHANGES.md b/CHANGES.md index c2bbf0d167..0f6880d716 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -353,8 +353,8 @@ OpenSSL 3.0 *Paul Dale* * The command line utilities genrsa and rsa have been modified to use PKEY - APIs These commands are now in maintenance mode and no new features will - be added to them. + APIs. They now write PKCS#8 keys by default. These commands are now in + maintenance mode and no new features will be added to them. *Paul Dale* diff --git a/apps/genrsa.c b/apps/genrsa.c index 4f589e98c1..04315a559b 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -38,7 +38,7 @@ typedef enum OPTION_choice { #endif OPT_F4, OPT_ENGINE, OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES, OPT_VERBOSE, - OPT_R_ENUM, OPT_PROV_ENUM + OPT_R_ENUM, OPT_PROV_ENUM, OPT_TRADITIONAL } OPTION_CHOICE; const OPTIONS genrsa_options[] = { @@ -62,6 +62,8 @@ const OPTIONS genrsa_options[] = { {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, {"primes", OPT_PRIMES, 'p', "Specify number of primes"}, {"verbose", OPT_VERBOSE, '-', "Verbose output"}, + {"traditional", OPT_TRADITIONAL, '-', + "Use traditional format for private keys"}, {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"}, OPT_R_OPTIONS, @@ -88,7 +90,7 @@ int genrsa_main(int argc, char **argv) char *outfile = NULL, *passoutarg = NULL, *passout = NULL; char *prog, *hexe, *dece; OPTION_CHOICE o; - unsigned char *ebuf = NULL; + int traditional = 0; if (bn == NULL || cb == NULL) goto end; @@ -141,6 +143,9 @@ opthelp: case OPT_VERBOSE: verbose = 1; break; + case OPT_TRADITIONAL: + traditional = 1; + break; } } argc = opt_num_rest(); @@ -214,8 +219,14 @@ opthelp: OPENSSL_free(hexe); OPENSSL_free(dece); } - if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout)) - goto end; + if (traditional) { + if (!PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0, + NULL, passout)) + goto end; + } else { + if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout)) + goto end; + } ret = 0; end: @@ -226,7 +237,6 @@ opthelp: BIO_free_all(out); release_engine(eng); OPENSSL_free(passout); - OPENSSL_free(ebuf); if (ret != 0) ERR_print_errors(bio_err); return ret; diff --git a/apps/rsa.c b/apps/rsa.c index 0464729f71..fdee96d570 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -31,7 +31,7 @@ typedef enum OPTION_choice { /* Do not change the order here; see case statements below */ OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG, OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER, - OPT_PROV_ENUM + OPT_PROV_ENUM, OPT_TRADITIONAL } OPTION_CHOICE; const OPTIONS rsa_options[] = { @@ -59,6 +59,8 @@ const OPTIONS rsa_options[] = { {"noout", OPT_NOOUT, '-', "Don't print key out"}, {"text", OPT_TEXT, '-', "Print the key in text"}, {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"}, + {"traditional", OPT_TRADITIONAL, '-', + "Use traditional format for private keys"}, #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4) OPT_SECTION("PVK"), @@ -88,6 +90,7 @@ int rsa_main(int argc, char **argv) int pvk_encr = 2; #endif OPTION_CHOICE o; + int traditional = 0; prog = opt_init(argc, argv, rsa_options); while ((o = opt_next()) != OPT_EOF) { @@ -163,6 +166,9 @@ int rsa_main(int argc, char **argv) if (!opt_provider(o)) goto end; break; + case OPT_TRADITIONAL: + traditional = 1; + break; } } argc = opt_num_rest(); @@ -280,8 +286,13 @@ int rsa_main(int argc, char **argv) i = PEM_write_bio_RSA_PUBKEY(out, rsa); } else { assert(private); - i = PEM_write_bio_RSAPrivateKey(out, rsa, - enc, NULL, 0, NULL, passout); + if (traditional) { + i = PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0, + NULL, passout); + } else { + i = PEM_write_bio_PrivateKey(out, pkey, + enc, NULL, 0, NULL, passout); + } } #ifndef OPENSSL_NO_DSA } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) { diff --git a/doc/man1/openssl-genrsa.pod.in b/doc/man1/openssl-genrsa.pod.in index 33aa60ca4e..3f81e29eb4 100644 --- a/doc/man1/openssl-genrsa.pod.in +++ b/doc/man1/openssl-genrsa.pod.in @@ -28,6 +28,7 @@ B B [B<-3>] [B<-primes> I] [B<-verbose>] +[B<-traditional>] {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} @@ -83,6 +84,10 @@ RSA key, which is defined in RFC 8017. Print extra details about the operations being performed. +=item B<-traditional> + +Write the key using the traditional PKCS#1 format instead of the PKCS#8 format. + {- $OpenSSL::safe::opt_r_item -} {- $OpenSSL::safe::opt_engine_item -} diff --git a/doc/man1/openssl-rsa.pod.in b/doc/man1/openssl-rsa.pod.in index 4f9c41d668..722e4d584c 100644 --- a/doc/man1/openssl-rsa.pod.in +++ b/doc/man1/openssl-rsa.pod.in @@ -34,6 +34,7 @@ B B [B<-text>] [B<-noout>] [B<-modulus>] +[B<-traditional>] [B<-check>] [B<-pubin>] [B<-pubout>] @@ -47,10 +48,7 @@ B B =head1 DESCRIPTION This command processes RSA keys. They can be converted between -various forms and their components printed out. B this command uses the -traditional SSLeay compatible format for private key encryption: newer -applications should use the more secure PKCS#8 format using the -L command. +various forms and their components printed out. =head1 OPTIONS @@ -72,10 +70,10 @@ See L for details. The key output format; the default is B. See L for details. -=item B<-inform> B|B +=item B<-traditional> -The data is a PKCS#1 B or B object. -On input, PKCS#8 format private keys are also accepted. +When writing a private key, use the traditional PKCS#1 format +instead of the PKCS#8 format. =item B<-in> I diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 2c56cc278c..1f344217a2 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -529,7 +529,7 @@ parameters start with a minus sign: Several OpenSSL commands can take input or generate output in a variety of formats. Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from -files in any of the B, B, or B formats, +files in any of the B, B or B formats, while specifying their input format is no more needed. The list of acceptable formats, and the default, is diff --git a/test/testrsa.pem b/test/testrsa.pem index aad21067a8..8648f10e37 100644 --- a/test/testrsa.pem +++ b/test/testrsa.pem @@ -1,9 +1,10 @@ ------BEGIN RSA PRIVATE KEY----- -MIIBPAIBAAJBAKrbeqkuRk8VcRmWFmtP+LviMB3+6dizWW3DwaffznyHGAFwUJ/I -Tv0XtbsCyl3QoyKGhrOAy3RvPK5M38iuXT0CAwEAAQJAZ3cnzaHXM/bxGaR5CR1R -rD1qFBAVfoQFiOH9uPJgMaoAuoQEisPHVcZDKcOv4wEg6/TInAIXBnEigtqvRzuy -oQIhAPcgZzUq3yVooAaoov8UbXPxqHlwo6GBMqnv20xzkf6ZAiEAsP4BnIaQTM8S -mvcpHZwQJdmdHHkGKAs37Dfxi67HbkUCIQCeZGliHXFa071Fp06ZeWlR2ADonTZz -rJBhdTe0v5pCeQIhAIZfkiGgGBX4cIuuckzEm43g9WMUjxP/0GlK39vIyihxAiEA -mymehFRT0MvqW5xAKAx7Pgkt8HVKwVhc2LwGKHE0DZM= ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIBVgIBADANBgkqhkiG9w0BAQEFAASCAUAwggE8AgEAAkEAqtt6qS5GTxVxGZYW +a0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO/Re1uwLKXdCjIoaGs4DLdG88rkzf +yK5dPQIDAQABAkBndyfNodcz9vEZpHkJHVGsPWoUEBV+hAWI4f248mAxqgC6hASK +w8dVxkMpw6/jASDr9MicAhcGcSKC2q9HO7KhAiEA9yBnNSrfJWigBqii/xRtc/Go +eXCjoYEyqe/bTHOR/pkCIQCw/gGchpBMzxKa9ykdnBAl2Z0ceQYoCzfsN/GLrsdu +RQIhAJ5kaWIdcVrTvUWnTpl5aVHYAOidNnOskGF1N7S/mkJ5AiEAhl+SIaAYFfhw +i65yTMSbjeD1YxSPE//QaUrf28jKKHECIQCbKZ6EVFPQy+pbnEAoDHs+CS3wdUrB +WFzYvAYocTQNkw== +-----END PRIVATE KEY-----