[openssl-users] suggested enhancement documentation or warning for pkey command line tool

Jakob Bohm jb-openssl at wisemo.com
Tue Oct 27 01:21:13 UTC 2015

On 26/10/2015 14:02, Viktor Dukhovni wrote:
> On Mon, Oct 26, 2015 at 01:21:24PM +0100, Michel wrote:
>> I believe it might be usefull to remind in the documentation that the
>> -cipher argment for openssl pkey command line tool is silently ignore when
>> combined with -outform DER.
>> May be it is worth to add a warning too ?
> I think a fatal error would be appropriate.  If you want encrypted
> DER keys, you'll need PKCS#8 or PKCS#12.
But the issue is how to make the key conversion command
in the openssl command line tool encrypt the output file,
not which encryption format it should use.

More specifically, the issue is that the currently
recommended command "openssl pkey", allegedly silently
omits the encryption when told not to Base64 encode the
encrypted key, which is complete nonsense and would be
considered a security issue in any other tool.

I see no particular reason why the "openssl pkey" command
should not encrypt the key in exactly the same way as it
does when Base64 encoding the key, in other words the
difference between -outform DER and -outform PEM should be
*only* the Base64 encoding and the associated decorative
text lines.

Doing something highly dangerous (outputting a private key
unencrypted contrary to user request) in response to an
unrelated option (-outform DER) is a really bad thing.

While on this subject, it would be most useful if all the
openssl command line tools that can output private keys
supported the same command line options to indicate
encryption or lack thereof, specifically, those commands
that currently default to unencrypted should still accept
the "-nodes" command, and should complain if invoked with
the "-passout" option but no encryption request.  5 to 10
years later, it should then be possible to change the
default to encrypted, confident that adding explicit "-nodes"
to scripts and examples will not fail on any reasonably
maintained systems (including systems where openssl is built
by some upstream OS maker).


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list