Affects OpenSSL since at least v 0.9.8g. Originally reported as Debian Bug # 533365 Problem Cause: Hardcoded "MIN_LEN=4" in source file crypto/pem/pem_lib.c
One can generate keys with 'too short' passphrase; e.g. $ openssl genrsa -des3 -passout pass:1 -out mykey.pem 1024 or, alternatively: $ echo 1> psw $ openssl genrsa -des3 -passout file:./psw -out mykey.pem 1024 One can then "use" the key, even for operations which require passphrasse; e.g.: $ openssl rsa -passin pass:1 -in mykey.pem -out outkey.pem or $ openssl rsa -passin file:./psw -in mykey.pem -out outkey.pem However, a passphrase shorter with length< 4 cannot be entered from stdin: $ openssl rsa -in mykey.pem -out outkey.pem Enter pass phrase for mykey.pem: 17325:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:850:You must type in 4 to 8191 characters -- Original Report ------- I have got an RSA key which is encrypted (Proc-Type: 4,ENCRYPTED) using a password of only one character. Unfortunately, OpenSSL is not able to remove the Password with the standard openssl rsa -in my.key -out my.key.insecure Error: 29913:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters A forced check like this is questionable, and in the case of not generating, but just *using* (e.g. decrypting) a password it is totally unacceptable. OpenSSL renders my private key unusable. Proposal for fixing this issue: remove password size/quality checks for decrypting operations. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org