gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Possible bug in pkcs8 import

From: David Marín Carreño
Subject: Re: Possible bug in pkcs8 import
Date: Thu, 23 Oct 2008 08:19:29 +0200
Hi all again.

2008/10/22 Nikos Mavrogiannopoulos <address@hidden>:
> David Marín Carreño wrote:
>> Hi all.
>>
>> I am developing PKCS#8 import in gnoMint (http://gnomint.sf.net).
>>
>> For testing what are the error codes obtained while probing the type
>> of a given file, I have developed a little program that tries to
>> import a given file as a PEM-codified crypted and unencrypted PKCS8
>> file, and the same with DER format.
>>
>> The problem is that I am not able to import any PKCS#8 file, crypted
>> or unencrypted, DER or PEM. I have generated these PKCS#8 (attached)
>> files using gnutls (test-pem-crypt.pkcs8), openssl
>> (test-pem-uncrypt.pkcs8, and both test-der-*.pkcs8), and certtool
>> (test-pem-crypt2048.pkcs8).
>>
>> I am obtaining -207 (GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) while
>> trying to import a DER file as a PEM file, which is correct. But all
>> other combinations always result with an error -67
>> (GNUTLS_E_ASN1_ELEMENT_NOT_FOUND).
>
> It seems certtool cannot handle not encrypted PKCS #8 files properly.
> Moreover if run with -d 2 I can see that
> |<1>| PKCS encryption schema OID '1.2.840.113549.1.5.3' (DES-CBC) is
> unsupported.
>
> How did you encrypted this key?
>

The file test-pem-crypt.pkcs8 was created with libgnutls, with the 
function gnutls_x509_privkey_export_pkcs8:

gnutls_x509_privkey_export_pkcs8 (key, GNUTLS_X509_FMT_PEM, "lalalala", 
                                  GNUTLS_PKCS_USE_PKCS12_3DES, buffer, 
                                  &buffer_len)

"key" is a private DSA key, also generated with libgnutls.

The file test-pem-crypt2048.pkcs8 was created with certtool, with the 
command options:

certtool -8 -p > test-pem-crypt2048.pkcs8

The other files were created with openssl, importing test-pem-crypt.pkcs8 and exporting it into other formats.

>> Could anyone help me? Is the problem in the PKCS8 files, in my test
>> program, or in gnutls?
>
> It seems it's a combination of certtool issues and gnutls not supporting
>  DES-CBC for PKCS #8.
>

But it seems to support it while generating PKCS#8 files...

> regards,
> Nikos
>

Best regards,

--
David Marín Carreño

reply via email to
[Prev in Thread] Current Thread [Next in Thread]