Unable to generate privatekey with 128bit salt

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to generate privatekey with 128bit salt

kishore
Hi,

I'm trying to generate a private key to use in fips mode  with BC as provider for my application.

I tried below command to do the same, 
./openssl genrsa -out aes256sha12048.key -aes256 2048  -S E1F53135E559C253

but when try to load the key using BouncyCastle code, it throws 

"Error salt must be at least 128 bits"

I'm a novice, can someone help me with this.


~Kishore

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Unable to generate privatekey with 128bit salt

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of kishore
> Sent: Friday, October 13, 2017 07:05

>./openssl genrsa -out aes256sha12048.key -aes256 2048  -S E1F53135E559C253

Using what version of OpenSSL? Running on what platform? Please include basic, essential information in your question. Don't make us guess.

> but when try to load the key using BouncyCastle code, it throws 

> "Error salt must be at least 128 bits"

The version of the openssl utility (1.0.2j) I'm running doesn't list a -S parameter in its help output, and I don't see one in genrsa.c, but there is one in enc.c, so maybe the genrsa command supports it. Though when I tried your command line, the key I got was encrypted with a salt (IV, really) that didn't appear to be related in any way to the value given with -S.

In any case, though, the value you're passing for -S is only 64 bits. 64 is less than 128.

Have you tried omitting the -S option? You should get a key encrypted with an IV of the appropriate length (128 bits) for AES-CBC-256.

What does the PEM header - particularly the DEK-Info line - in the generated key file say?

--
Michael Wojcik
Distinguished Engineer, Micro Focus




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users