tangtong <[email protected]> writes: > Hi, > I meet some question when I display an encrypted key info created by openssl. > The following steps show the scenario: > openssl genrsa -des3 -out key1.pem > openssl pkcs8 -topk8 -in key1.pem -out key2.pem > certtool -k --infile key2.pem > |<1>| PKCS encryption schema OID '1.2.840.113549.1.5.3' is unsupported. > certtool: import error: The cipher type is unsupported.
That is pbeWithMD5AndDES-CBC. Both MD5 and DES are broken, so I'm not sure it is worthwhile to support it. Try the -v2 parameter to openssl pkcs8, although I'm not sure what the string for any strong cipher would be. I would accept a patch that made GnuTLS read files on this format (but make sure it can't generate them). /Simon > > I double check the source codes, it is found only the following schema are > supported for a pkcs8 key for gnutls: > PKCS12_PBE_3DES_SHA1_OID "1.2.840.113549.1.12.1.3" > PKCS12_PBE_ARCFOUR_SHA1_OID "1.2.840.113549.1.12.1.1" > PKCS12_PBE_RC2_40_SHA1_OID "1.2.840.113549.1.12.1.6" > PBES2_OID "1.2.840.113549.1.5.13" > > Only the last one is for PKCS5 schema. According to PKCS8 specification, > PKCS8's encryption algorithm is based on PKCS5's encryption schema. I am not > sure if this means gnutls dones't fully support PKCS5 and my understanding > about PKCS8 and PKCS5 is right or not. > > > Regards > > > > _________________________________________________________________ > 上Windows Live 中国首页,下载最新版Messenger! > http://www.windowslive.cn_______________________________________________ > Help-gnutls mailing list > [email protected] > http://lists.gnu.org/mailman/listinfo/help-gnutls _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
