Dr. Henson, I wanted to thank you for your suggestions, it is working now. I had to change the code:
int res = i2d_PKCS8PrivateKey_fp (fp, clave, EVP_des_ede3_cbc(), NULL, 0, NULL, pwd); TO int pbe_nid = OBJ_txt2nid("PBE-SHA1-3DES"); int res = i2d_PKCS8PrivateKey_nid_fp (fp, clave, pbe_nid, NULL, 0, NULL, pwd); Thanks again, Jason ----- Original Message ----- From: "Dr. Stephen Henson" <[EMAIL PROTECTED]> Date: Sunday, June 25, 2006 6:34 am Subject: Re: Creating compatible PKCS12 files > On Sat, Jun 24, 2006, Jason K. Resch wrote: > > > I'm attempting to make software that can use the crypto features in > > either OpenSSL or Mozilla NSS. Thus far I've had little > difficulty in > > doing so except for one problem. When I export an > > EncryptedPrivateKeyInfo (for a 2048 bit key) using OpenSSL the > resulting> file is 1298 bytes in length. However when I export it > using NSS it > > comes out to be 1270 bytes. The odd thing is that OpenSSL can > read the > > exported NSS key using the following OpenSSL code: > > > > RSA *key = NULL; > > BIO *mem = BIO_new_mem_buf((void *) privateKeyData.getByteArray(), > > privateKeyData.size() ); > > > > char *pwd = (char*)passPhrase.c_str(); > > OpenSSL_add_all_algorithms(); > > ERR_load_crypto_strings(); > > > > EVP_PKEY *clave = d2i_PKCS8PrivateKey_bio(mem, NULL, NULL, pwd); > > if (clave == NULL) > > { > > ERR_print_errors_fp(stderr); > > } > > > > key = EVP_PKEY_get1_RSA(clave); > > > > I can also successfully export the NSS generated key using the > command:> "openssl pkcs8 -in private.key -inform DER -out encoded.out" > > > > However, when NSS attempts to decrypt the OpenSSL generated file, it > > fails with an error suggesting an invalid password was used. One > > difference I noticed is that NSS requires the password be in > Unicode,> while OpenSSL takes a plain ASCII string. But when I > attempted to use > > an ASCII string to encrypt the password in NSS, then "openssl > pkcs8 -in > > private.key -inform DER -out encoded.out" no longer could decrypt > the key. > > > > If it is of any help, the algorithm I am using in Mozilla NSS is: > > SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC > > > > and the algorithm I am using in OpenSSL is: > > i2d_PKCS8PrivateKey_fp (fp, clave, EVP_des_ede3_cbc(), NULL, 0, > NULL, pwd); > > > > I am at a loss as to what is causing these key incompatibilities and > > would be grateful for any suggestions regarding the matter. > > > > > > Not sure what the subject is about "compatible PKCS#12 files" the > issues you > refer to are with PKCS#8 format private keys. > > The size of the output file can vary according to the algorithm and > indeed the > encoding of the private key. Mozilla PKCS#12 files for exampled > used to use > indefinite length construted encoding and were quite a bit larger > than the > OpenSSL equivalents. Other factors such as seed length, key > attributes and OID > lengths can have an influence. > > The PKCS#12 standard requires that keys should be in Unicode for > the PKCS#12 > PBE algorithms and use a double null string terminator. OpenSSL > should follow > this OK. > > The other main standard containg PBE algorithms is PKCS#5 v2.0 > which includes > some older PKCS#5 v1.5 algorithms with smaller keys sizes. It doesn't > specifically enforce a specific password format but some examples > use ASCII > or arguably UTF8: these examples were generated using OpenSSL BTW. > > Try the OpenSSL command line option to the pkcs8 utilty > > -v1 PBE-SHA1-3DES > > which should use the same PKCS#12 PBE algorithm as NSS. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]