On Tuesday, July 06, 2004 Dr. Stephen Henson wrote:
>> I was able to convert OpenSSH PEM format keys to PKCS#8 easily enough using
>> openssl pkcs8, but how do I convert the PKCS#8 back to the original format?
>>
>
>Well the first way is to do nothing: the OpenSSL private key code will
>transparently handle PKCS#8 PEM format so no conversion is really needed.
>
>The other way is:
>
>openssl pkcs8 -in p8key.pem [encrypt options] -out key.pem
>
>or
>
>openssl {rsa,dsa} -in p8key.pem [encrypt options] -out key.pem
The first gives me the "-----BEGIN DSA PRIVATE KEY-----" but no
"Proc-Type:" or "DEK-Info:", and ssh doesn't like it. The second form:
openssl dsa -in p8key.pem -des3 > key.pem
gives me something that looks right, with "DEK-Info: DES-EDE3-CBC,..."
matching the original, but ssh says bad passphrase. Guess I should
understand what I'm doing wrong before trying to hack
PEM_write_bio_PrivateKey et. al. Any ideas?
>> >The second alternative is to modify the PEM headers to include a string saying
>> >that SHA1 is the digest algorithm used and to recognize this in both FIPS and
>> >none FIPS modes.
>
>Actually now I think of it I'm not really very keen on that approach. It would
>involve inventing a non-standard OpenSSL specific format which was unusable in
>any previous versions of OpenSSL or any other software.
>
>With PKCS#8 you get a format that any version of OpenSSL can handle (except
>for very ancient ones) its more standard and more secure. In actual fact I've
>been meaning to make PKCS#8 the default format for OpenSSL private keys for
>some time for those very reasons.
PKCS#8 it is, then.
Thanks again for the great feedback, it saves me from wasting time on
stillborn patches...
-Steve M.
Steve Marquess
DMLSS Technical Manager
JMLFDC, 623 Porter Street, Ft. Detrick, MD 21702
DSN 343-3933, COM 301-619-3933, FAX 301-619-7831
[EMAIL PROTECTED]
