From 8fc06e8860d91aefa32f0de2dd7d46a719b81cad Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 11 May 2016 12:41:58 +0100 Subject: [PATCH] Update pkcs8 defaults. Update pkcs8 utility to use 256 bit AES using SHA256 by default. Update documentation. Reviewed-by: Viktor Dukhovni --- CHANGES | 4 ++++ apps/pkcs8.c | 6 ++++-- crypto/asn1/p5_pbev2.c | 2 +- doc/apps/pkcs8.pod | 46 ++++++++++++++++++++---------------------- 4 files changed, 31 insertions(+), 27 deletions(-) diff --git a/CHANGES b/CHANGES index 55e7aa4c62..0b533acb54 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 1.0.2g and 1.1.0 [xx XXX xxxx] + *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0, + 256 bit AES and HMAC with SHA256. + [Steve Henson] + *) Remove support for MIPS o32 ABI on IRIX (and IRIX only). [Andy Polyakov] diff --git a/apps/pkcs8.c b/apps/pkcs8.c index cd4e76b6d0..d7ac5cb015 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -177,6 +177,8 @@ int pkcs8_main(int argc, char **argv) "%s: Unknown PRF algorithm %s\n", prog, opt_arg()); goto opthelp; } + if (cipher == NULL) + cipher = EVP_aes_256_cbc(); break; case OPT_ITER: if (!opt_int(opt_arg(), &iter)) @@ -225,8 +227,8 @@ int pkcs8_main(int argc, char **argv) goto end; } - if ((pbe_nid == -1) && !cipher) - pbe_nid = NID_pbeWithMD5AndDES_CBC; + if ((pbe_nid == -1) && cipher == NULL) + cipher = EVP_aes_256_cbc(); in = bio_open_default(infile, 'r', informat); if (in == NULL) diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index 244706a3df..9bf6d00cff 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -140,7 +140,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, if ((prf_nid == -1) && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) { ERR_clear_error(); - prf_nid = NID_hmacWithSHA1; + prf_nid = NID_hmacWithSHA256; } EVP_CIPHER_CTX_free(ctx); ctx = NULL; diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod index 8d28a123a1..6b526853e6 100644 --- a/doc/apps/pkcs8.pod +++ b/doc/apps/pkcs8.pod @@ -57,7 +57,7 @@ private key is used. =item B<-outform DER|PEM> -This specifies the output format, the options have the same meaning as the +This specifies the output format, the options have the same meaning as the B<-inform> option. =item B<-in filename> @@ -100,28 +100,26 @@ code signing software used unencrypted private keys. =item B<-v2 alg> -This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8 -private keys are encrypted with the password based encryption algorithm -called B this uses 56 bit DES encryption but it -was the strongest encryption algorithm supported in PKCS#5 v1.5. Using -the B<-v2> option PKCS#5 v2.0 algorithms are used which can use any -encryption algorithm such as 168 bit triple DES or 128 bit RC2 however -not many implementations support PKCS#5 v2.0 yet. If you are just using -private keys with OpenSSL then this doesn't matter. +This option sets the PKCS#5 v2.0 algorithm. The B argument is the encryption algorithm to use, valid values include -B, B and B. It is recommended that B is used. +B, B and B. If this option isn't specified then B +is used. =item B<-v2prf alg> This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value -values would be B. If this option isn't set then the default -for the cipher is used or B if there is no default. +value would be B. If this option isn't set then the default +for the cipher is used or B if there is no default. + +Some implementations may not support custom PRF algorithms and may require +the B option to work. =item B<-v1 alg> -This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete -list of possible algorithms is included below. +This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some +older implementations may not support PKCS#5 v2.0 and may require this option. +If not specified PKCS#5 v2.0 for is used. =item B<-engine id> @@ -145,6 +143,13 @@ sets the scrypt B, B or B

parameters. =head1 NOTES +By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit +AES with HMAC and SHA256 is used. + +Some older implementations do not support PKCS#5 v2.0 format and require +the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak +encryption algorithms such as 56 bit DES. + The encrypted form of a PEM encode PKCS#8 files uses the following headers and footers: @@ -161,13 +166,6 @@ counts are more secure that those encrypted using the traditional SSLeay compatible formats. So if additional security is considered important the keys should be converted. -The default encryption is only 56 bits because this is the encryption -that most current implementations of PKCS#8 will support. - -Some software may use PKCS#12 password based encryption algorithms -with PKCS#8 format private keys: these are handled automatically -but there is no option to produce them. - It is possible to write out DER encoded encrypted private keys in PKCS#8 format because the encryption details are included at an ASN1 level whereas the traditional format includes them at a PEM level. @@ -228,8 +226,8 @@ Read a DER unencrypted PKCS#8 format private key: Convert a private key from any PKCS#8 format to traditional format: openssl pkcs8 -in pk8.pem -out key.pem - -Convert a private key to PKCS#8 format, encrypting with AES-256 and with + +Convert a private key to PKCS#8 format, encrypting with AES-256 and with one million iterations of the password: openssl pkcs8 -in raw.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem @@ -259,7 +257,7 @@ the old format at present. =head1 SEE ALSO L, L, L, -L +L =head1 HISTORY