Robert Relyea wrote:
> Subrata Mazumdar wrote:
>> Bob,
>> I implemented the importing and exporting of private key from PKCS#8
>> file using NSS API.
>> Here is what I found based on my testing :
>>
>> Using Mozilla NSS API, I can only import/export private key in PKCS#8
>> format with "PKCS12 V2 PBE With SHA1 And 3KEY Triple DES-cbc"
>> encryption algorithm.
>> I would like to support other encryption algorithms supported by
>> OpenSSL.
>>
> Are you using NSS 3.11 or 3.12. We added PKCS 5 v2 (needed for the
> other algorithms in 3.12).
> I'm pretty sure Elio got support for other keys working.
I am using the NSS that came with xulrunner-1.9-SDK. I think that it is
NSS 3.11+.
I wish there is an API in NSS that I can use to print the NSS version
when I run my code.
>> Using NSS-API, I can import private key from OpenSSL generated PEM
>> file (openssl rsa ...) with
>> DES-EDE3-CBC (-des3 option) encryption only.
>> But, I cannot read the private key from Mozilla NSS API generated PEM
>> file using the OpenSSL API
>> because NSS uses 16 byte salt for encryption but the OpenSSL API
>> expects 8 byte salt.
>>
> Hmm, sounds like a bug in openSSL, though I do remember tripping over
> this. I believe there is an NSS interface that lets you set the salt
> length specifically when generating the PBE (at least in NSS 3.12).
I used the PK11_ExportEncryptedPrivateKeyInfo() method to create the
encrypted private key - this method does not have any parameter for salt
length.
BTW, it is not bug in OpenSSL. I looked in the OpenSSL source code - the
salt length is hard-coded to 8 byte.
>
> bob
>> --
>> Subrata
>>
>>
>> Robert Relyea wrote:
>>
>>> Subrata Mazumdar wrote:
>>>
>>>> Nelson,
>>>> thanks very much for the clear answer - I did not realize that the
>>>> Mozilla NSS does not support PKCS#8.
>>>> I also agree with you that PKCS#12 format is the right way to
>>>> import/export keys.
>>>> The problem is that a large number of OpenSSL based applications
>>>> still use separate files
>>>> for private key and public key cert. Actually, the problem is even
>>>> worse - some of the applications
>>>> use unencrypted private key or OpenSSL specific encrypted PEM file
>>>> (generated using 'openssl rsa' command).
>>>> Any way, thanks once again.
>>>>
>>> I believe Elio has some sample code that can import and export
>>> *wrapped* PKCS #8 keys stored in Pem format. Unwrapped keys are not
>>> considered safe. To support them you would need to manually
>>> encrypt/decrypt the wrapped keys. NSS does not have an interface to
>>> release unencrypted keys and applications are strongly discouraged
>>> from using them. Even openssl prefers encrypted to unencrypted keys.
>>>
>>> bob
>>>
>>>> --
>>>> Subrata
>>>>
>>>> Nelson Bolyard wrote:
>>>>
>>>>
>>>>> Subrata Mazumdar wrote, On 2008-09-26 07:19:
>>>>>
>>>>>> Hi,
>>>>>> I am having problem in reading PKCS#8 file generated by OpenSSL
>>>>>> command line tool ("opnessl pkcs8").
>>>>>>
>>>>> Officially, import and export of pkcs#8 files is not supported in
>>>>> NSS.
>>>>> You may or may not be able to get it to work, but because of the
>>>>> security concerns of PKCS#8 files, NSS does not support them.
>>>>>
>>>>> PKCS#12 is the supported way to import or export private keys and
>>>>> their
>>>>> related certificates. If you have a problem with PKCS#12, you can get
>>>>> support from the NSS team.
>>>>>
>>>>> PKCS#12 is the one universally implemented private key transport
>>>>> method.
>>>>> OpenSSL also supports PKCS#12, and so does Windows.
>>>>>
>>>> _______________________________________________
>>>> dev-tech-crypto mailing list
>>>> dev-tech-crypto@lists.mozilla.org
>>>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>>>
>> _______________________________________________
>> dev-tech-crypto mailing list
>> dev-tech-crypto@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
