Add option to set an alternative to the default hmacWithSHA1 PRF
for PKCS#8 private key encryptions. This is used automatically
by PKCS8_encrypt if the nid specified is a PRF.
Add option to pkcs8 utility.
Update docs.
(cherry picked from commit
b60272b01fcb4f69201b3e1659b4f7e9e9298dfb)
else
badarg = 1;
}
+ else if (!strcmp(*args,"-v2prf"))
+ {
+ if (args[1])
+ {
+ args++;
+ pbe_nid=OBJ_txt2nid(*args);
+ if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0))
+ {
+ BIO_printf(bio_err,
+ "Unknown PRF algorithm %s\n", *args);
+ badarg = 1;
+ }
+ }
+ else
+ badarg = 1;
+ }
else if (!strcmp(*args,"-inform"))
{
if (args[1])
goto err;
}
- if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
- else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+ if(pbe_nid == -1)
+ pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
+ else if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0))
+ pbe = PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, pbe_nid);
+ else
+ {
+ ERR_clear_error();
+ pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+ }
if(!pbe) {
PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
goto err;
[B<-embed>]
[B<-nsdb>]
[B<-v2 alg>]
+[B<-v2prf alg>]
[B<-v1 alg>]
[B<-engine id>]
The B<alg> argument is the encryption algorithm to use, valid values include
B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.
+=item B<-v2prf alg>
+
+This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value
+values would be B<hmacWithSHA256>. If this option isn't set then the default
+for the cipher is used or B<hmacWithSHA1> if there is no default.
+
=item B<-v1 alg>
This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
+Convert a private from traditional to PKCS#5 v2.0 format using AES with
+256 bits in CBC mode and B<hmacWithSHA256> PRF:
+
+ openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA256 -out enckey.pem
+
Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
(DES):