How to read encrypted PKCS#8 format key file
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Nov 24 05:52:56 UTC 2022
On Thu, Nov 24, 2022 at 09:48:42AM +0530, Satyam Mehrotra wrote:
> I have encrypted pkcs#8 key file . Is there any openssl command buy which I
> can view the algorithm used to encrypt it ( i mean aes or des3 )
Removing blank lines and passing to "asn1parse" you get:
$ openssl asn1parse -in /tmp/foo.pem | less
0:d=0 hl=4 l=1302 cons: SEQUENCE
4:d=1 hl=2 l= 72 cons: SEQUENCE
6:d=2 hl=2 l= 9 prim: OBJECT :PBES2
17:d=2 hl=2 l= 59 cons: SEQUENCE
19:d=3 hl=2 l= 35 cons: SEQUENCE
21:d=4 hl=2 l= 9 prim: OBJECT :PBKDF2
32:d=4 hl=2 l= 22 cons: SEQUENCE
34:d=5 hl=2 l= 16 prim: OCTET STRING [HEX DUMP]:54BE686300BD75A2A58678D3AA746803
52:d=5 hl=2 l= 2 prim: INTEGER :0800
56:d=3 hl=2 l= 20 cons: SEQUENCE
58:d=4 hl=2 l= 8 prim: OBJECT :des-ede3-cbc
68:d=4 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:39557361E14C06F5
78:d=1 hl=4 l=1224 prim: OCTET STRING [HEX DUMP]:0DFC7C23573AC5C76C368927B27178E5F877E15359E01CABE280FEAF572535985A8C7981075B995A94633193CF425432CAF9B6AE5BE978443B010CD453CF19C434DB6CD11B65ACC06F6C573EFC7FE3F667EAA4EFEC7088E953CD01AC6ADD38214275852765FF0309FB777E99EBE3A12FADC5E7DCF2A7A68F47DD018C39B1430B34C4A4329EA94E21D23B3D8B34F6F828F1340321685EC6F4E2F878A7B95EE710E8CD570109DDE90EC8D553C5A93E36E5F374E6670828DAA4F096183B77063E6F865F83E353861D864702AA18984A413B345D39464C055B8C7EB2D339AE04FEE4932F629E9736A3FA2D770528C07DCAE9950AD9CDE2EC838DABFE4BF40C745B447CF5D461B5B7EBD3BD1C050F129FC989684589CE6D780C126395C5749536A8E82902332EA9DB7174768780378D644029986FF2463184CD33B8DD1D4692ADF6CE0A9902A3459353102572A0AF981F96C66B6C2D8EF31BDAD438AB9E1D6CF897985713E6F5B5E2178A6F65AE582DEA2778E9041C2BC3C9B33EEDBFB19C439F5754FBACB61521711D7992CE2CCD5DC7A0AA543D3A93401031EFD39ABD435385C287A1F503686707A02E3AA2D5183CF9F2DA6436C7B51B46BFE31999592D35B099DE7FE68914610D09854E3B02A0773EB2367B7FA04205FC4500FED6AD0FF84E8A0EB183AFC84D2ABB1C43E8097C169097F3E2D744E3D31339AD024CD613733CC185F49C44B538ECA4BC63E7FA95E5F9A50E2DBD05DFC09724C6F729B5ACF41B5889C0C74B6979AEBEA3B5C73CA68AF8983DF69BEAC9BB8C1267E048B1AFE1D61757FA5D9543CE7FC4BA22D5A498FD9A1FB2A3430A56214F43D27A41B68C784F875AC29047608FEF4E3CFA69629C14558BABBA26063404D598AE927D34C642517AB9B458D51095EBFCFF67901ADF7151C6BCC336F447B437997E9C1C4DB3EF79D6A1CB7F673D32FED0010B6B6BE532F1E96F0DE04F20618615958628CB444CF952992FB5A3BF440501A768E9C91272B560E3F526306EE8FA61A46A7F1FB04B2B9D3954255AD4FF80C96950D20181657ED45F79C33186362686E969FE474B51E53F97F9FAA9F2FD40DDCE65C8406BE873418ED1EA6872C14420BE4A050F5715901AB5F8F21D256017B2C459F9289E00B8437C80A9DEBF857F87CDD18B29B131707984067D41B7C6B09B19CE942B9625CE69DD2F6F40F175568DBE69AD0DCD6971E87E9342DCAB8E7484C875FC2888D4EC13AB4748115DC9ECCE34B6D3C228C519FBD2BECB921946616A3F37E91F9DA275E0087D3C1AE74EF69E7EA57B94CE6A103122007D89E2C10277C0D56AD2BD18BC93B0D68DD43A4B9DF80368DD87AF55463A044CA2E603617BEA25DD37A15F8EB565FFA46160ABFAE2A47D5B9DE2AC6C8A79501389BEF33605EA95FA78521FB6561632006E45DCC4A6A9E68914CC63B3B27E1C29959A4224BE4DFB3CBEAD00C4DA6B004B5A30148543D4E83FF6AA0782A08DE95E42DEEA3B91EF45B9B14C9D28CD77DE8508CCDE4B10F2C36272C4D3CE348D4C268EE44C275F26556C66EB99BA2565D07F604BA6320FC5186847541162A0BAAA3250ECADC21DDED850B221517379BAA0241E537971325A96434C818A7FA2C3746E5DBC71074365BC6805F94A8ECAB84F6C4A9A9A1D9795667D3D342A37DECB8936ADFEC1232DA06A764DFF8166C040E62E7C0F09DCA4055200CEAC771D1139EA464CD51A947E360A
This is a PKCS#8 key using PKCS#5 PBES2 encryption, via PBKDF2 with salt
0x54BE686300BD75A2A58678D3AA746803 and 2048 iterations and an implicit
HMAC-SHA-1 PRF, encrypted with 3DES in CBC mode with 0x39557361E14C06F5
as the IV.
https://www.rfc-editor.org/rfc/rfc8018#section-6.2.1
PBKDF2-params ::= SEQUENCE {
salt CHOICE {
specified OCTET STRING,
otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
},
iterationCount INTEGER (1..MAX),
keyLength INTEGER (1..MAX) OPTIONAL,
prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1
}
SupportingAlgorithms ALGORITHM-IDENTIFIER ::= {
{NULL IDENTIFIED BY id-hmacWithSHA1} |
{OCTET STRING (SIZE(8)) IDENTIFIED BY desCBC} |
{OCTET STRING (SIZE(8)) IDENTIFIED BY des-EDE3-CBC} |
{RC2-CBC-Parameter IDENTIFIED BY rc2CBC} |
{RC5-CBC-Parameters IDENTIFIED BY rc5-CBC-PAD}, |
{OCTET STRING (SIZE(16)) IDENTIFIED BY aes128-CBC-PAD} |
{OCTET STRING (SIZE(16)) IDENTIFIED BY aes192-CBC-PAD} |
{OCTET STRING (SIZE(16)) IDENTIFIED BY aes256-CBC-PAD},
...
}
--
Viktor.
More information about the openssl-users
mailing list