pkey: Use openssl generated pkcs8 key instead #830
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the
test_private_encoding_encrypted
test, we have a rsa private key pem file that was generated withcerttool
. I'm not entirely sure if the command that was used to generated the file was correct though. Dumping out the ASN.1 contents of this file indicates that this file was generated with an additional--pkcs-cipher=aes-128
. When I try running the same command as the documentation indicates, the pem file would be encrypted with the default3des-pkcs12
instead.der2ascii -pem -i rsa.pem > rsa.txt
.The commentary above is fairly minor. The larger issue is that certtool's generated pkcs8 files aren't entirely consistent with RFC8018 Appendix A.2. certtool's PKCS8 private keys have a missing
NULL
field that should be paired with the Algorithm ID when using PBKDF2-PRF. OpenSSL doesn't seem to notice this, although this does fail with stricter parsers that explicitly check the field. I've cut an issue to GnuTLS regarding this, but it would be awesome if we could use a key file that's consistent with RFC guidelines for now instead.OpenSSL's generated PKCS8 keys don't have the same issue described, so I've replaced the key file for an OpenSSL generated command along with the command I used to generate.