problem with -aes256 and -outform der in cmmand

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

problem with -aes256 and -outform der in cmmand

Robert Moskowitz
If I use format=pem in the following:

openssl genpkey -outform $format -aes256 -algorithm ec -pkeyopt
ec_paramgen_curve:prime256v1 \
     -pkeyopt ec_param_enc:named_curve -out private/ca.key.$format

the private key is password protected.

But if I use format=der

I do not get prompted for the password.

The pem file is 379 bytes and the der is 121, but that is not a valid
comparison as der is not encrypted...

Is this a bug?  Or a feature?

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: problem with -aes256 and -outform der in cmmand

OpenSSL - User mailing list
➢ But if I use format=der I do not get prompted for the password.
   
DER does not support encryption.  The bug is that the command does not tell you this.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: problem with -aes256 and -outform der in cmmand

Robert Moskowitz


On 08/21/2017 11:43 AM, Salz, Rich via openssl-users wrote:
> ➢ But if I use format=der I do not get prompted for the password.
>    
> DER does not support encryption.  The bug is that the command does not tell you this.
>
OK.  And why does DER not support encryption?  Actually, I can see
working around this.  The CA certs private keys can be in PEM and
everything else in DER.  Provided I can get all the inform and outforms
right.

But for now I will 'live' with unencrypted DER CA private keys.

Bob
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: problem with -aes256 and -outform der in cmmand

OpenSSL - User mailing list
➢ OK.  And why does DER not support encryption

Because it is not defined.  If you want to encrypt keys, you need to use PKCS12 which might be too much for your application.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: problem with -aes256 and -outform der in cmmand

Sam Roberts
Probably I misunderstand the context, since PKCS#8 can be used to
encrypt EC private key info, some more info at
https://tools.ietf.org/html/rfc5915. Which doesn't help the OP if the
openssl CLI doesn't support it.


On Mon, Aug 21, 2017 at 8:52 AM, Salz, Rich via openssl-users
<[hidden email]> wrote:
> ➢ OK.  And why does DER not support encryption
>
> Because it is not defined.  If you want to encrypt keys, you need to use PKCS12 which might be too much for your application.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: problem with -aes256 and -outform der in cmmand

Robert Moskowitz
In reply to this post by OpenSSL - User mailing list


On 08/21/2017 11:52 AM, Salz, Rich wrote:
> ➢ OK.  And why does DER not support encryption
>
> Because it is not defined.  If you want to encrypt keys, you need to use PKCS12 which might be too much for your application.
>
If a device has secure storage, it does not need to encrypt its private
key.  It all depends on the architecture.

Or they can implement whatever works in their device to protect the keys.

The root CA is not a problem as it is offline except to make new
intermediate CAs.  In fact for Singapore, I hope to have the root CA be
a mSD card with Fedora26 for a Cubieboard2.  Pop the card in, and there
is your root CA.  And a different mSD card for the signing CA!  I can do
this all offline.  Just put the CSR on a USB drive and insert it in one
of the Cubie's USB ports and sign away!

I just need to document this all.  That is all.  :)

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: problem with -aes256 and -outform der in cmmand

Viktor Dukhovni
In reply to this post by OpenSSL - User mailing list
On Mon, Aug 21, 2017 at 03:43:05PM +0000, Salz, Rich via openssl-users wrote:

> ➢ But if I use format=der I do not get prompted for the password.
>    
> DER does not support encryption.  The bug is that the command does not tell you this.

There is at least one standard encryption-capable ASN.1 private
key format, namely PKCS#8, and therefore a DER encoding thereof.
However, the (gen)pkey command does not support direct input or
output of encrypted PKCS8 in DER form.  This is a reflection of
the underlying API.

    ---------------- Note, takes no password argument:
    d2i_PrivateKey(3)               OpenSSL                  d2i_PrivateKey(3)

    NAME
       d2i_Private_key, d2i_AutoPrivateKey, i2d_PrivateKey - decode and encode
       functions for reading and saving EVP_PKEY structures.

    SYNOPSIS
        #include <openssl/evp.h>

        EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
                                 long length);
        EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp,
                                     long length);

    ...

    NOTES
       All these functions use DER format and unencrypted keys. Applications
       wishing to encrypt or decrypt private keys should use other functions
       such as d2i_PKC8PrivateKey() instead.

    ---------------------- Note, takes a password argument:
    d2i_PKCS8PrivateKey(3)              OpenSSL             d2i_PKCS8PrivateKey(3)

    NAME
       d2i_PKCS8PrivateKey_bio, d2i_PKCS8PrivateKey_fp,
       i2d_PKCS8PrivateKey_bio, i2d_PKCS8PrivateKey_fp,
       i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp - PKCS#8 format
       private key functions

    SYNOPSIS
        #include <openssl/evp.h>

        EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u);
        EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u);

So, while you can indirectly generate encrypted DER private keys:

    $ openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 |
        openssl pkcs8 -topk8 -v2 aes-128-cbc -outform DER -out key.der
    .......................................+++
    ............+++
    Enter Encryption Password:
    Verifying - Enter Encryption Password:

    $ openssl asn1parse -in key.der -inform DER
        openssl asn1parse -inform DER
        0:d=0  hl=4 l=1311 cons: SEQUENCE
        4:d=1  hl=2 l=  73 cons: SEQUENCE
        6:d=2  hl=2 l=   9 prim: OBJECT            :PBES2
       17:d=2  hl=2 l=  60 cons: SEQUENCE
       19:d=3  hl=2 l=  27 cons: SEQUENCE
       21:d=4  hl=2 l=   9 prim: OBJECT            :PBKDF2
       32:d=4  hl=2 l=  14 cons: SEQUENCE
       34:d=5  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:9C914F36B0FDC2D0
       44:d=5  hl=2 l=   2 prim: INTEGER           :0800
       48:d=3  hl=2 l=  29 cons: SEQUENCE
       50:d=4  hl=2 l=   9 prim: OBJECT            :aes-128-cbc
       61:d=4  hl=2 l=  16 prim: OCTET STRING      [HEX DUMP]:...iv...
       79:d=1  hl=4 l=1232 prim: OCTET STRING      [HEX DUMP]:...ciphertext...

they can't directly be used with any of the OpenSSL "-inkey" or
similar options, as those don't assume PKCS8 and typically use:

    EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x,
                                      pem_password_cb *cb, void *u);

    EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,
                                  pem_password_cb *cb, void *u);

the DER counterparts lack the password argument and can't read
encrypted keys.  So encrypted PKCS#8 is fine for moving keys
between organizations, systems or people, but for data at rest,
if you want encrypted keys, you'll need PEM.

Use a strong passphrase, as the PBKDF for PEM encryption is
weak.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users