The pkcs8 application limits output keyfile passwords to at most 50 characters if -passout parameter is not used. This seems to be because the buffer used for password input in pkcs8.c has a fixed size of 50.
This has a small security impact: the limitation leaks the maximum length of a password used on some PKCS#8 keys. How to reproduce: ---8<---8<--- $ openssl genrsa -out rsa.key $ openssl pkcs8 -topk8 -in rsa.key -out key.pkcs8 Enter Encryption Password:123456789012345678901234567890123456789012345678901 ---8<---8<--- Actual result: pkcs8 exits without output and returns value 1. ---8<---8<--- $ echo $? 1 ---8<---8<--- Expected result: pkcs8 prompts to verify the password and uses said password for encryption. It should be possible to use passwords of arbitrary length. Workaround: Use the -passout parameter, e.g. "-passout stdin". Versions tested: ---8<---8<--- $ uname -srm NetBSD 7.0.0 amd64 $ openssl version OpenSSL 1.0.2h 3 May 2016 $ /usr/bin/openssl version OpenSSL 1.0.1p 9 Jul 2015 $ uname -srm NetBSD 7.0.1 amd64 $ openssl version OpenSSL 1.0.1t 3 May 2016 ---8<---8<--- -- Jarmo Jaakkola -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4671 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev