On Wed, Sep 07, 2011, Shawn Willden wrote: > (Note: CC'd to the Keyczar mailing list. Apologies to anyone who's > on both lists.) > > I'm getting errors that I don't really understand from > PEM_read_vio_PrivateKey on Mac OS X 10.6 (the error does not occur on > Linux, so it's version/platform-related). > > The error is occurring in a unit test in the Keyczar project > (http://keyczar.org). The test is trying to export and then import an > RSA private key (actually, the same problem shows up when working with > DSA and ECDSA keys, but I'm focusing on RSA at the moment). The > export is done with: > > PEM_write_bio_PKCS8PrivateKey(out, key, cipher, NULL, 0, > NULL, passphrase); > > where key is an EVP_PKEY pointer and cipher was obtained by calling > EVP_aes_128_cbc(). The export returns 1indicating success. The > import is then done by calling: > > PEM_read_bio_PrivateKey(in, NULL, NULL, passphrase); > > The error text is: > > error:0607607D:digital envelope > routines:PKCS5_v2_PBE_keyivgen:unsupported prf > error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure > error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor > cipherinit error > error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe > crypt error > error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib > > It appears to me that openssl is trying to use some pseudo-random > function (PRF) that it doesn't have, apparently while trying to > generate an IV. But that raises some questions. > > 1. Why is it trying to generate an IV when trying to _read_ a PEM > file. It should be decrypting, not encrypting.
Well it is technically deriving the key from the passphrase and it needs to generate the same key and IV as used when encrypting: though in the case of that algorithm the IV is in plain text. > 2. Why is it trying to use an algorithm it doesn't have? Is there a > way I can tell it to use a different one? > 3. Why does this only happen on OS X? Is the Mac version of the lib > different in some way? > Have you included OpenSSL_add_all_algorithms()? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org