[openssl-commits] [openssl] master update

Dr. Stephen Henson steve at openssl.org
Wed May 11 19:38:55 UTC 2016

The branch master has been updated
       via  538dbbc6f77bf8080305082bdb8e961eaca053b6 (commit)
       via  8fc06e8860d91aefa32f0de2dd7d46a719b81cad (commit)
      from  2ab851b779a77d119e1677b2495b368a46d83eef (commit)

- Log -----------------------------------------------------------------
commit 538dbbc6f77bf8080305082bdb8e961eaca053b6
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed May 11 19:14:54 2016 +0100

    Reviewed-by: Emilia Käsper <emilia at openssl.org>

commit 8fc06e8860d91aefa32f0de2dd7d46a719b81cad
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Wed May 11 12:41:58 2016 +0100

    Update pkcs8 defaults.
    Update pkcs8 utility to use 256 bit AES using SHA256 by default.
    Update documentation.
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>


Summary of changes:
 CHANGES                 |  4 ++++
 apps/pkcs8.c            |  6 ++++--
 crypto/asn1/p5_pbev2.c  |  2 +-
 doc/apps/pkcs8.pod      | 46 ++++++++++++++++++++++------------------------
 engines/afalg/e_afalg.c |  2 +-
 5 files changed, 32 insertions(+), 28 deletions(-)

diff --git a/CHANGES b/CHANGES
index 55e7aa4..0b533ac 100644
@@ -4,6 +4,10 @@
  Changes between 1.0.2g and 1.1.0  [xx XXX xxxx]
+  *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
+     256 bit AES and HMAC with SHA256.
+     [Steve Henson]
   *) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
      [Andy Polyakov]
diff --git a/apps/pkcs8.c b/apps/pkcs8.c
index cd4e76b..d7ac5cb 100644
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -177,6 +177,8 @@ int pkcs8_main(int argc, char **argv)
                            "%s: Unknown PRF algorithm %s\n", prog, opt_arg());
                 goto opthelp;
+            if (cipher == NULL)
+                cipher = EVP_aes_256_cbc();
         case OPT_ITER:
             if (!opt_int(opt_arg(), &iter))
@@ -225,8 +227,8 @@ int pkcs8_main(int argc, char **argv)
         goto end;
-    if ((pbe_nid == -1) && !cipher)
-        pbe_nid = NID_pbeWithMD5AndDES_CBC;
+    if ((pbe_nid == -1) && cipher == NULL)
+        cipher = EVP_aes_256_cbc();
     in = bio_open_default(infile, 'r', informat);
     if (in == NULL)
diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index 244706a..9bf6d00 100644
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -140,7 +140,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
     if ((prf_nid == -1) &&
         EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) {
-        prf_nid = NID_hmacWithSHA1;
+        prf_nid = NID_hmacWithSHA256;
     ctx = NULL;
diff --git a/doc/apps/pkcs8.pod b/doc/apps/pkcs8.pod
index 8d28a12..6b52685 100644
--- a/doc/apps/pkcs8.pod
+++ b/doc/apps/pkcs8.pod
@@ -57,7 +57,7 @@ private key is used.
 =item B<-outform DER|PEM>
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 =item B<-in filename>
@@ -100,28 +100,26 @@ code signing software used unencrypted private keys.
 =item B<-v2 alg>
-This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8
-private keys are encrypted with the password based encryption algorithm
-called B<pbeWithMD5AndDES-CBC> this uses 56 bit DES encryption but it
-was the strongest encryption algorithm supported in PKCS#5 v1.5. Using 
-the B<-v2> option PKCS#5 v2.0 algorithms are used which can use any
-encryption algorithm such as 168 bit triple DES or 128 bit RC2 however
-not many implementations support PKCS#5 v2.0 yet. If you are just using
-private keys with OpenSSL then this doesn't matter.
+This option sets the PKCS#5 v2.0 algorithm.
 The B<alg> argument is the encryption algorithm to use, valid values include
-B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.
+B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256>
+is used.
 =item B<-v2prf alg>
 This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value
-values would be B<hmacWithSHA256>. If this option isn't set then the default
-for the cipher is used or B<hmacWithSHA1> if there is no default.
+value would be B<hmacWithSHA256>. If this option isn't set then the default
+for the cipher is used or B<hmacWithSHA256> if there is no default.
+Some implementations may not support custom PRF algorithms and may require
+the B<hmacWithSHA1> option to work.
 =item B<-v1 alg>
-This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
-list of possible algorithms is included below.
+This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used.  Some
+older implementations may not support PKCS#5 v2.0 and may require this option.
+If not specified PKCS#5 v2.0 for is used.
 =item B<-engine id>
@@ -145,6 +143,13 @@ sets the scrypt B<N>, B<r> or B<p> parameters.
 =head1 NOTES
+By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit
+AES with HMAC and SHA256 is used.
+Some older implementations do not support PKCS#5 v2.0 format and require
+the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak
+encryption algorithms such as 56 bit DES.
 The encrypted form of a PEM encode PKCS#8 files uses the following
 headers and footers:
@@ -161,13 +166,6 @@ counts are more secure that those encrypted using the traditional
 SSLeay compatible formats. So if additional security is considered
 important the keys should be converted.
-The default encryption is only 56 bits because this is the encryption
-that most current implementations of PKCS#8 will support.
-Some software may use PKCS#12 password based encryption algorithms
-with PKCS#8 format private keys: these are handled automatically
-but there is no option to produce them.
 It is possible to write out DER encoded encrypted private keys in
 PKCS#8 format because the encryption details are included at an ASN1
 level whereas the traditional format includes them at a PEM level.
@@ -228,8 +226,8 @@ Read a DER unencrypted PKCS#8 format private key:
 Convert a private key from any PKCS#8 format to traditional format:
  openssl pkcs8 -in pk8.pem -out key.pem
-Convert a private key to PKCS#8 format, encrypting with AES-256 and with 
+Convert a private key to PKCS#8 format, encrypting with AES-256 and with
 one million iterations of the password:
  openssl pkcs8 -in raw.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem
@@ -259,7 +257,7 @@ the old format at present.
 =head1 SEE ALSO
 L<dsa(1)>, L<rsa(1)>, L<genrsa(1)>,
 =head1 HISTORY
diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c
index d8599a1..4c28107 100644
--- a/engines/afalg/e_afalg.c
+++ b/engines/afalg/e_afalg.c
@@ -131,7 +131,7 @@ static int afalg_chk_platform(void);
 /* Engine Id and Name */
 static const char *engine_afalg_id = "afalg";
-static const char *engine_afalg_name = "AFLAG engine support";
+static const char *engine_afalg_name = "AFALG engine support";
 static int afalg_cipher_nids[] = {

More information about the openssl-commits mailing list