[openssl-users] problem with -aes256 and -outform der in cmmand

Viktor Dukhovni openssl-users at dukhovni.org
Mon Aug 21 16:59:40 UTC 2017 

On Mon, Aug 21, 2017 at 03:43:05PM +0000, Salz, Rich via openssl-users wrote:

> ➢ But if I use format=der I do not get prompted for the password.
>    
> DER does not support encryption.  The bug is that the command does not tell you this.

There is at least one standard encryption-capable ASN.1 private
key format, namely PKCS#8, and therefore a DER encoding thereof.
However, the (gen)pkey command does not support direct input or
output of encrypted PKCS8 in DER form.  This is a reflection of
the underlying API.

    ---------------- Note, takes no password argument:
    d2i_PrivateKey(3)               OpenSSL                  d2i_PrivateKey(3)

    NAME
       d2i_Private_key, d2i_AutoPrivateKey, i2d_PrivateKey - decode and encode
       functions for reading and saving EVP_PKEY structures.

    SYNOPSIS
        #include <openssl/evp.h>

        EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
                                 long length);
        EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp,
                                     long length);

    ...

    NOTES
       All these functions use DER format and unencrypted keys. Applications
       wishing to encrypt or decrypt private keys should use other functions
       such as d2i_PKC8PrivateKey() instead.

    ---------------------- Note, takes a password argument:
    d2i_PKCS8PrivateKey(3)              OpenSSL             d2i_PKCS8PrivateKey(3)

    NAME
       d2i_PKCS8PrivateKey_bio, d2i_PKCS8PrivateKey_fp,
       i2d_PKCS8PrivateKey_bio, i2d_PKCS8PrivateKey_fp,
       i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp - PKCS#8 format
       private key functions

    SYNOPSIS
        #include <openssl/evp.h>

        EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u);
        EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u);

So, while you can indirectly generate encrypted DER private keys:

    $ openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 |
        openssl pkcs8 -topk8 -v2 aes-128-cbc -outform DER -out key.der
    .......................................+++
    ............+++
    Enter Encryption Password:
    Verifying - Enter Encryption Password:

    $ openssl asn1parse -in key.der -inform DER
	openssl asn1parse -inform DER
	0:d=0  hl=4 l=1311 cons: SEQUENCE
	4:d=1  hl=2 l=  73 cons: SEQUENCE
	6:d=2  hl=2 l=   9 prim: OBJECT            :PBES2
       17:d=2  hl=2 l=  60 cons: SEQUENCE
       19:d=3  hl=2 l=  27 cons: SEQUENCE
       21:d=4  hl=2 l=   9 prim: OBJECT            :PBKDF2
       32:d=4  hl=2 l=  14 cons: SEQUENCE
       34:d=5  hl=2 l=   8 prim: OCTET STRING      [HEX DUMP]:9C914F36B0FDC2D0
       44:d=5  hl=2 l=   2 prim: INTEGER           :0800
       48:d=3  hl=2 l=  29 cons: SEQUENCE
       50:d=4  hl=2 l=   9 prim: OBJECT            :aes-128-cbc
       61:d=4  hl=2 l=  16 prim: OCTET STRING      [HEX DUMP]:...iv...
       79:d=1  hl=4 l=1232 prim: OCTET STRING      [HEX DUMP]:...ciphertext...

they can't directly be used with any of the OpenSSL "-inkey" or
similar options, as those don't assume PKCS8 and typically use:

    EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x,
				      pem_password_cb *cb, void *u);

    EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,
				  pem_password_cb *cb, void *u);

the DER counterparts lack the password argument and can't read
encrypted keys.  So encrypted PKCS#8 is fine for moving keys
between organizations, systems or people, but for data at rest,
if you want encrypted keys, you'll need PEM.

Use a strong passphrase, as the PBKDF for PEM encryption is
weak.

-- 
	Viktor.

More information about the openssl-users mailing list