[openssl-dev] [openssl.org #4544] [BUG] 'openssl pkcs8' command doesn't work as advertised
Timothy Geiser via RT
rt at openssl.org
Fri May 20 10:26:56 UTC 2016
Confirmed with 1.0.2h on Windows 10 64-bit and 1.0.2g-fips on Xubuntu Linux
(16.04 'Xenial Xerus')
Make new RSA key in PKCS#8 format:
~$ openssl genpkey -algorithm rsa -out rsa_new.key
Try an example from the man page for 'pkcs8' to convert to (old) traditional
format:
~$ openssl pkcs8 -in rsa_new.key -out rsa_old.key
Error reading key
139801503176344:error:0906D06C:PEM routines:PEM_read_bio:no start line:
pem_lib.c:701:Expecting: ENCRYPTED PRIVATE KEY
Read docs to find switch for making pkcs8 accept unencrypted keys. Try again:
~$ openssl pkcs8 -nocrypt -in rsa_new.key -out rsa_old.key
Check contents of new format and old format files:
~$ head -n 3 rsa_new.key rsa_old.key
==> rsa_new.key <==
-----BEGIN PRIVATE KEY-----
MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAL93XnIDaTAl3MS7
4OluxTGCG8yjI1MCQQz1dBvVf9Q1qeiqGTekY94Cj2KaHgF1EPOjKRgSG7ag7s9J
==> rsa_old.key <==
-----BEGIN PRIVATE KEY-----
MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAL93XnIDaTAl3MS7
4OluxTGCG8yjI1MCQQz1dBvVf9Q1qeiqGTekY94Cj2KaHgF1EPOjKRgSG7ag7s9J
The key is untranslated. This is a direct contradiction to the documentation.
The docs even have a nearly identical example:
>Convert a private key from any PKCS#8 format to traditional format:
>
> openssl pkcs8 -in pk8.pem -out key.pem
Workaround - use 'openssl rsa':
~$ openssl rsa -in rsa_new.key -out rsa_old.key
writing RSA key
~$ head -n 3 rsa_new.key rsa_old.key
==> rsa_new.key <==
-----BEGIN PRIVATE KEY-----
MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAL93XnIDaTAl3MS7
4OluxTGCG8yjI1MCQQz1dBvVf9Q1qeiqGTekY94Cj2KaHgF1EPOjKRgSG7ag7s9J
==> rsa_old.key <==
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC/d15yA2kwJdzEu+DpbsUxghvMoyNTAkEM9XQb1X/UNanoqhk3
pGPeAo9imh4BdRDzoykYEhu2oO7PSYAkoqD1mj+C+yCrx6aEOqehGXm/y3rxHTH9
I'm glad I was able to get the desired result with the workaround, but the
pkcs8 command does not work as advertised. I tried it with encrypted keys and
got the same result that way as well.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4544
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list