[openssl-users] Unable to generate privatekey with 128bit salt
Michael Wojcik
Michael.Wojcik at microfocus.com
Fri Oct 13 17:04:29 UTC 2017
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of kishore
> Sent: Friday, October 13, 2017 07:05
>./openssl genrsa -out aes256sha12048.key -aes256 2048 -S E1F53135E559C253
Using what version of OpenSSL? Running on what platform? Please include basic, essential information in your question. Don't make us guess.
> but when try to load the key using BouncyCastle code, it throws
> "Error salt must be at least 128 bits"
The version of the openssl utility (1.0.2j) I'm running doesn't list a -S parameter in its help output, and I don't see one in genrsa.c, but there is one in enc.c, so maybe the genrsa command supports it. Though when I tried your command line, the key I got was encrypted with a salt (IV, really) that didn't appear to be related in any way to the value given with -S.
In any case, though, the value you're passing for -S is only 64 bits. 64 is less than 128.
Have you tried omitting the -S option? You should get a key encrypted with an IV of the appropriate length (128 bits) for AES-CBC-256.
What does the PEM header - particularly the DEK-Info line - in the generated key file say?
--
Michael Wojcik
Distinguished Engineer, Micro Focus
More information about the openssl-users
mailing list