Update pkcs8 defaults.

Update pkcs8 utility to use 256 bit AES using SHA256 by default.

Update documentation.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
This commit is contained in:
Dr. Stephen Henson 2016-05-11 12:41:58 +01:00
parent 2ab851b779
commit 8fc06e8860
4 changed files with 31 additions and 27 deletions

View File

@ -4,6 +4,10 @@
Changes between 1.0.2g and 1.1.0 [xx XXX xxxx]
*) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
256 bit AES and HMAC with SHA256.
[Steve Henson]
*) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
[Andy Polyakov]

View File

@ -177,6 +177,8 @@ int pkcs8_main(int argc, char **argv)
"%s: Unknown PRF algorithm %s\n", prog, opt_arg());
goto opthelp;
}
if (cipher == NULL)
cipher = EVP_aes_256_cbc();
break;
case OPT_ITER:
if (!opt_int(opt_arg(), &iter))
@ -225,8 +227,8 @@ int pkcs8_main(int argc, char **argv)
goto end;
}
if ((pbe_nid == -1) && !cipher)
pbe_nid = NID_pbeWithMD5AndDES_CBC;
if ((pbe_nid == -1) && cipher == NULL)
cipher = EVP_aes_256_cbc();
in = bio_open_default(infile, 'r', informat);
if (in == NULL)

View File

@ -140,7 +140,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
if ((prf_nid == -1) &&
EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) {
ERR_clear_error();
prf_nid = NID_hmacWithSHA1;
prf_nid = NID_hmacWithSHA256;
}
EVP_CIPHER_CTX_free(ctx);
ctx = NULL;

View File

@ -57,7 +57,7 @@ private key is used.
=item B<-outform DER|PEM>
This specifies the output format, the options have the same meaning as the
This specifies the output format, the options have the same meaning as the
B<-inform> option.
=item B<-in filename>
@ -100,28 +100,26 @@ code signing software used unencrypted private keys.
=item B<-v2 alg>
This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8
private keys are encrypted with the password based encryption algorithm
called B<pbeWithMD5AndDES-CBC> this uses 56 bit DES encryption but it
was the strongest encryption algorithm supported in PKCS#5 v1.5. Using
the B<-v2> option PKCS#5 v2.0 algorithms are used which can use any
encryption algorithm such as 168 bit triple DES or 128 bit RC2 however
not many implementations support PKCS#5 v2.0 yet. If you are just using
private keys with OpenSSL then this doesn't matter.
This option sets the PKCS#5 v2.0 algorithm.
The B<alg> argument is the encryption algorithm to use, valid values include
B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.
B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256>
is used.
=item B<-v2prf alg>
This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value
values would be B<hmacWithSHA256>. If this option isn't set then the default
for the cipher is used or B<hmacWithSHA1> if there is no default.
value would be B<hmacWithSHA256>. If this option isn't set then the default
for the cipher is used or B<hmacWithSHA256> if there is no default.
Some implementations may not support custom PRF algorithms and may require
the B<hmacWithSHA1> option to work.
=item B<-v1 alg>
This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
list of possible algorithms is included below.
This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some
older implementations may not support PKCS#5 v2.0 and may require this option.
If not specified PKCS#5 v2.0 for is used.
=item B<-engine id>
@ -145,6 +143,13 @@ sets the scrypt B<N>, B<r> or B<p> parameters.
=head1 NOTES
By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit
AES with HMAC and SHA256 is used.
Some older implementations do not support PKCS#5 v2.0 format and require
the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak
encryption algorithms such as 56 bit DES.
The encrypted form of a PEM encode PKCS#8 files uses the following
headers and footers:
@ -161,13 +166,6 @@ counts are more secure that those encrypted using the traditional
SSLeay compatible formats. So if additional security is considered
important the keys should be converted.
The default encryption is only 56 bits because this is the encryption
that most current implementations of PKCS#8 will support.
Some software may use PKCS#12 password based encryption algorithms
with PKCS#8 format private keys: these are handled automatically
but there is no option to produce them.
It is possible to write out DER encoded encrypted private keys in
PKCS#8 format because the encryption details are included at an ASN1
level whereas the traditional format includes them at a PEM level.
@ -228,8 +226,8 @@ Read a DER unencrypted PKCS#8 format private key:
Convert a private key from any PKCS#8 format to traditional format:
openssl pkcs8 -in pk8.pem -out key.pem
Convert a private key to PKCS#8 format, encrypting with AES-256 and with
Convert a private key to PKCS#8 format, encrypting with AES-256 and with
one million iterations of the password:
openssl pkcs8 -in raw.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem
@ -259,7 +257,7 @@ the old format at present.
=head1 SEE ALSO
L<dsa(1)>, L<rsa(1)>, L<genrsa(1)>,
L<gendsa(1)>
L<gendsa(1)>
=head1 HISTORY