[openssl-users] output from: dh, dhparam, pkeyparam

Johann v. Preußen jvp at forthepolls.org
Sat Aug 6 14:31:50 UTC 2016 

since 0.9.6 or before, five (5) example PEM files have been included in the 
'crypto/dh' directory of the pkg. these represent bit-sizes from 192 to 4096. 
certainly 192-/512-/1024-bits are hardly applicable today and that leaves the 
2048-/4096-bit files subject to current interest. at that, i am not certain what 
utility these files have since they are not installed. quite a while ago i 
noticed the 'dh2048.pem' file when deciding to create custom DH param files. 
this file has two (2) sets of param's. since these files may have originated in 
some early dev phase, i can see where someone mistakenly appended the second 
param set instead of supplanting the first. this brings to the fore my actual 
question.

'pkeyparam' shares the same DH feature of its predecessors in that it ignores 
all content not included between the /*first*/ PEM header and its accompanying 
footer. that means virtually anything can surround the first param and will be 
ignored by whatever call(s) this wrapper is making. i can understand that this 
may have been coded this way to allow for the history DH param's have with 
openssl whereby only the PKCS#3 variant has been supported and that format might 
co-exist in some files.

however, it would seem prudent that everything outside the first DH param should 
not be completely ignored. to wit: consider the very real possibility that a 
programmatic error is made -- such as the dh2048.pem example, supra -- and an 
append is performed and the new param is completely ignored and nobody is the 
wiser. moreover, since it is remarkably unlikely that anyone is hand coding 
these files or that comments would be inserted; it seems to make a lot of sense 
for a utilizing module to _*warn*_ of excess content that is not PKCS and 
_*fail*_ if more than a single PEM-type param is included.

-- 
Thank you,

Johann v. Preußen


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160806/270feabe/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3825 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160806/270feabe/attachment.bin>

More information about the openssl-users mailing list