[openssl-dev] [openssl.org #4544] [BUG] 'openssl pkcs8' command doesn't work as advertised

Timothy Geiser via RT rt at openssl.org
Fri May 20 10:26:56 UTC 2016 

Confirmed with 1.0.2h on Windows 10 64-bit and 1.0.2g-fips on Xubuntu Linux
(16.04 'Xenial Xerus')

Make new RSA key in PKCS#8 format:
  ~$ openssl genpkey -algorithm rsa -out rsa_new.key

Try an example from the man page for 'pkcs8' to convert to (old) traditional
format:
  ~$ openssl pkcs8 -in rsa_new.key -out rsa_old.key
  Error reading key
  139801503176344:error:0906D06C:PEM routines:PEM_read_bio:no start line:
  pem_lib.c:701:Expecting: ENCRYPTED PRIVATE KEY

Read docs to find switch for making pkcs8 accept unencrypted keys. Try again:
  ~$ openssl pkcs8 -nocrypt -in rsa_new.key -out rsa_old.key

Check contents of new format and old format files:
  ~$ head -n 3 rsa_new.key rsa_old.key
  ==> rsa_new.key <==
  -----BEGIN PRIVATE KEY-----
  MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAL93XnIDaTAl3MS7
  4OluxTGCG8yjI1MCQQz1dBvVf9Q1qeiqGTekY94Cj2KaHgF1EPOjKRgSG7ag7s9J

  ==> rsa_old.key <==
  -----BEGIN PRIVATE KEY-----
  MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAL93XnIDaTAl3MS7
  4OluxTGCG8yjI1MCQQz1dBvVf9Q1qeiqGTekY94Cj2KaHgF1EPOjKRgSG7ag7s9J

The key is untranslated. This is a direct contradiction to the documentation.
The docs even have a nearly identical example:
>Convert a private key from any PKCS#8 format to traditional format:
>
> openssl pkcs8 -in pk8.pem -out key.pem

Workaround - use 'openssl rsa':
  ~$ openssl rsa -in rsa_new.key -out rsa_old.key
  writing RSA key
  ~$ head -n 3 rsa_new.key rsa_old.key
  ==> rsa_new.key <==
  -----BEGIN PRIVATE KEY-----
  MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAL93XnIDaTAl3MS7
  4OluxTGCG8yjI1MCQQz1dBvVf9Q1qeiqGTekY94Cj2KaHgF1EPOjKRgSG7ag7s9J

  ==> rsa_old.key <==
  -----BEGIN RSA PRIVATE KEY-----
  MIICWwIBAAKBgQC/d15yA2kwJdzEu+DpbsUxghvMoyNTAkEM9XQb1X/UNanoqhk3
  pGPeAo9imh4BdRDzoykYEhu2oO7PSYAkoqD1mj+C+yCrx6aEOqehGXm/y3rxHTH9

I'm glad I was able to get the desired result with the workaround, but the
pkcs8 command does not work as advertised. I tried it with encrypted keys and
got the same result that way as well.


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4544
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list