Dr. Henson,
I wanted to thank you for your suggestions, it is working now. I had to
change the code:
int res = i2d_PKCS8PrivateKey_fp (fp, clave, EVP_des_ede3_cbc(), NULL,
0, NULL, pwd);
TO
int pbe_nid = OBJ_txt2nid("PBE-SHA1-3DES");
int res = i2d_PKCS8PrivateKey_nid_fp (fp, clave, pbe_nid, NULL, 0, NULL,
pwd);
Thanks again,
Jason
----- Original Message -----
From: "Dr. Stephen Henson" <[EMAIL PROTECTED]>
Date: Sunday, June 25, 2006 6:34 am
Subject: Re: Creating compatible PKCS12 files
> On Sat, Jun 24, 2006, Jason K. Resch wrote:
>
> > I'm attempting to make software that can use the crypto features in
> > either OpenSSL or Mozilla NSS. Thus far I've had little
> difficulty in
> > doing so except for one problem. When I export an
> > EncryptedPrivateKeyInfo (for a 2048 bit key) using OpenSSL the
> resulting> file is 1298 bytes in length. However when I export it
> using NSS it
> > comes out to be 1270 bytes. The odd thing is that OpenSSL can
> read the
> > exported NSS key using the following OpenSSL code:
> >
> > RSA *key = NULL;
> > BIO *mem = BIO_new_mem_buf((void *) privateKeyData.getByteArray(),
> > privateKeyData.size() );
> >
> > char *pwd = (char*)passPhrase.c_str();
> > OpenSSL_add_all_algorithms();
> > ERR_load_crypto_strings();
> >
> > EVP_PKEY *clave = d2i_PKCS8PrivateKey_bio(mem, NULL, NULL, pwd);
> > if (clave == NULL)
> > {
> > ERR_print_errors_fp(stderr);
> > }
> >
> > key = EVP_PKEY_get1_RSA(clave);
> >
> > I can also successfully export the NSS generated key using the
> command:> "openssl pkcs8 -in private.key -inform DER -out encoded.out"
> >
> > However, when NSS attempts to decrypt the OpenSSL generated file, it
> > fails with an error suggesting an invalid password was used. One
> > difference I noticed is that NSS requires the password be in
> Unicode,> while OpenSSL takes a plain ASCII string. But when I
> attempted to use
> > an ASCII string to encrypt the password in NSS, then "openssl
> pkcs8 -in
> > private.key -inform DER -out encoded.out" no longer could decrypt
> the key.
> >
> > If it is of any help, the algorithm I am using in Mozilla NSS is:
> > SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC
> >
> > and the algorithm I am using in OpenSSL is:
> > i2d_PKCS8PrivateKey_fp (fp, clave, EVP_des_ede3_cbc(), NULL, 0,
> NULL, pwd);
> >
> > I am at a loss as to what is causing these key incompatibilities and
> > would be grateful for any suggestions regarding the matter.
> >
> >
>
> Not sure what the subject is about "compatible PKCS#12 files" the
> issues you
> refer to are with PKCS#8 format private keys.
>
> The size of the output file can vary according to the algorithm and
> indeed the
> encoding of the private key. Mozilla PKCS#12 files for exampled
> used to use
> indefinite length construted encoding and were quite a bit larger
> than the
> OpenSSL equivalents. Other factors such as seed length, key
> attributes and OID
> lengths can have an influence.
>
> The PKCS#12 standard requires that keys should be in Unicode for
> the PKCS#12
> PBE algorithms and use a double null string terminator. OpenSSL
> should follow
> this OK.
>
> The other main standard containg PBE algorithms is PKCS#5 v2.0
> which includes
> some older PKCS#5 v1.5 algorithms with smaller keys sizes. It doesn't
> specifically enforce a specific password format but some examples
> use ASCII
> or arguably UTF8: these examples were generated using OpenSSL BTW.
>
> Try the OpenSSL command line option to the pkcs8 utilty
>
> -v1 PBE-SHA1-3DES
>
> which should use the same PKCS#12 PBE algorithm as NSS.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [email protected]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
