[openssl-dev] [openssl.org #4671] Bug: pkcs8 application limits output passwords to 50 characters
Jarmo Jaakkola via RT
rt at openssl.org
Sun Sep 4 18:39:09 UTC 2016
The pkcs8 application limits output keyfile passwords to at most 50
characters if -passout parameter is not used. This seems to be because
the buffer used for password input in pkcs8.c has a fixed size of 50.
This has a small security impact: the limitation leaks the maximum
length of a password used on some PKCS#8 keys.
How to reproduce:
---8<---8<---
$ openssl genrsa -out rsa.key
$ openssl pkcs8 -topk8 -in rsa.key -out key.pkcs8
Enter Encryption Password:123456789012345678901234567890123456789012345678901
---8<---8<---
Actual result:
pkcs8 exits without output and returns value 1.
---8<---8<---
$ echo $?
1
---8<---8<---
Expected result:
pkcs8 prompts to verify the password and uses said password for
encryption. It should be possible to use passwords of arbitrary
length.
Workaround:
Use the -passout parameter, e.g. "-passout stdin".
Versions tested:
---8<---8<---
$ uname -srm
NetBSD 7.0.0 amd64
$ openssl version
OpenSSL 1.0.2h 3 May 2016
$ /usr/bin/openssl version
OpenSSL 1.0.1p 9 Jul 2015
$ uname -srm
NetBSD 7.0.1 amd64
$ openssl version
OpenSSL 1.0.1t 3 May 2016
---8<---8<---
--
Jarmo Jaakkola
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4671
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list