Browse Source

Support writing RSA keys using the traditional format again

Fixes: #6855

Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8743
master
Kurt Roeckx 3 years ago
parent
commit
10203a3472
7 changed files with 52 additions and 27 deletions
  1. +2
    -2
      CHANGES.md
  2. +15
    -5
      apps/genrsa.c
  3. +14
    -3
      apps/rsa.c
  4. +5
    -0
      doc/man1/openssl-genrsa.pod.in
  5. +5
    -7
      doc/man1/openssl-rsa.pod.in
  6. +1
    -1
      doc/man1/openssl.pod
  7. +10
    -9
      test/testrsa.pem

+ 2
- 2
CHANGES.md View File

@ -353,8 +353,8 @@ OpenSSL 3.0
*Paul Dale*
* The command line utilities genrsa and rsa have been modified to use PKEY
APIs These commands are now in maintenance mode and no new features will
be added to them.
APIs. They now write PKCS#8 keys by default. These commands are now in
maintenance mode and no new features will be added to them.
*Paul Dale*


+ 15
- 5
apps/genrsa.c View File

@ -38,7 +38,7 @@ typedef enum OPTION_choice {
#endif
OPT_F4, OPT_ENGINE,
OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES, OPT_VERBOSE,
OPT_R_ENUM, OPT_PROV_ENUM
OPT_R_ENUM, OPT_PROV_ENUM, OPT_TRADITIONAL
} OPTION_CHOICE;
const OPTIONS genrsa_options[] = {
@ -62,6 +62,8 @@ const OPTIONS genrsa_options[] = {
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"primes", OPT_PRIMES, 'p', "Specify number of primes"},
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
{"traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private keys"},
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
OPT_R_OPTIONS,
@ -88,7 +90,7 @@ int genrsa_main(int argc, char **argv)
char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
char *prog, *hexe, *dece;
OPTION_CHOICE o;
unsigned char *ebuf = NULL;
int traditional = 0;
if (bn == NULL || cb == NULL)
goto end;
@ -141,6 +143,9 @@ opthelp:
case OPT_VERBOSE:
verbose = 1;
break;
case OPT_TRADITIONAL:
traditional = 1;
break;
}
}
argc = opt_num_rest();
@ -214,8 +219,14 @@ opthelp:
OPENSSL_free(hexe);
OPENSSL_free(dece);
}
if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout))
goto end;
if (traditional) {
if (!PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0,
NULL, passout))
goto end;
} else {
if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout))
goto end;
}
ret = 0;
end:
@ -226,7 +237,6 @@ opthelp:
BIO_free_all(out);
release_engine(eng);
OPENSSL_free(passout);
OPENSSL_free(ebuf);
if (ret != 0)
ERR_print_errors(bio_err);
return ret;


+ 14
- 3
apps/rsa.c View File

@ -31,7 +31,7 @@ typedef enum OPTION_choice {
/* Do not change the order here; see case statements below */
OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG,
OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER,
OPT_PROV_ENUM
OPT_PROV_ENUM, OPT_TRADITIONAL
} OPTION_CHOICE;
const OPTIONS rsa_options[] = {
@ -59,6 +59,8 @@ const OPTIONS rsa_options[] = {
{"noout", OPT_NOOUT, '-', "Don't print key out"},
{"text", OPT_TEXT, '-', "Print the key in text"},
{"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
{"traditional", OPT_TRADITIONAL, '-',
"Use traditional format for private keys"},
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
OPT_SECTION("PVK"),
@ -88,6 +90,7 @@ int rsa_main(int argc, char **argv)
int pvk_encr = 2;
#endif
OPTION_CHOICE o;
int traditional = 0;
prog = opt_init(argc, argv, rsa_options);
while ((o = opt_next()) != OPT_EOF) {
@ -163,6 +166,9 @@ int rsa_main(int argc, char **argv)
if (!opt_provider(o))
goto end;
break;
case OPT_TRADITIONAL:
traditional = 1;
break;
}
}
argc = opt_num_rest();
@ -280,8 +286,13 @@ int rsa_main(int argc, char **argv)
i = PEM_write_bio_RSA_PUBKEY(out, rsa);
} else {
assert(private);
i = PEM_write_bio_RSAPrivateKey(out, rsa,
enc, NULL, 0, NULL, passout);
if (traditional) {
i = PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0,
NULL, passout);
} else {
i = PEM_write_bio_PrivateKey(out, pkey,
enc, NULL, 0, NULL, passout);
}
}
#ifndef OPENSSL_NO_DSA
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {


+ 5
- 0
doc/man1/openssl-genrsa.pod.in View File

@ -28,6 +28,7 @@ B<openssl> B<genrsa>
[B<-3>]
[B<-primes> I<num>]
[B<-verbose>]
[B<-traditional>]
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
@ -83,6 +84,10 @@ RSA key, which is defined in RFC 8017.
Print extra details about the operations being performed.
=item B<-traditional>
Write the key using the traditional PKCS#1 format instead of the PKCS#8 format.
{- $OpenSSL::safe::opt_r_item -}
{- $OpenSSL::safe::opt_engine_item -}


+ 5
- 7
doc/man1/openssl-rsa.pod.in View File

@ -34,6 +34,7 @@ B<openssl> B<rsa>
[B<-text>]
[B<-noout>]
[B<-modulus>]
[B<-traditional>]
[B<-check>]
[B<-pubin>]
[B<-pubout>]
@ -47,10 +48,7 @@ B<openssl> B<rsa>
=head1 DESCRIPTION
This command processes RSA keys. They can be converted between
various forms and their components printed out. B<Note> this command uses the
traditional SSLeay compatible format for private key encryption: newer
applications should use the more secure PKCS#8 format using the
L<openssl-pkcs8(1)> command.
various forms and their components printed out.
=head1 OPTIONS
@ -72,10 +70,10 @@ See L<openssl(1)/Format Options> for details.
The key output format; the default is B<PEM>.
See L<openssl(1)/Format Options> for details.
=item B<-inform> B<DER>|B<PEM>
=item B<-traditional>
The data is a PKCS#1 B<RSAPrivateKey> or B<SubjectPublicKey> object.
On input, PKCS#8 format private keys are also accepted.
When writing a private key, use the traditional PKCS#1 format
instead of the PKCS#8 format.
=item B<-in> I<filename>


+ 1
- 1
doc/man1/openssl.pod View File

@ -529,7 +529,7 @@ parameters start with a minus sign:
Several OpenSSL commands can take input or generate output in a variety
of formats.
Since OpenSSL 3.0 keys, single certificates, and CRLs can be read from
files in any of the B<DER>, B<PEM>, or B<P12> formats,
files in any of the B<DER>, B<PEM> or B<P12> formats,
while specifying their input format is no more needed.
The list of acceptable formats, and the default, is


+ 10
- 9
test/testrsa.pem View File

@ -1,9 +1,10 @@
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAKrbeqkuRk8VcRmWFmtP+LviMB3+6dizWW3DwaffznyHGAFwUJ/I
Tv0XtbsCyl3QoyKGhrOAy3RvPK5M38iuXT0CAwEAAQJAZ3cnzaHXM/bxGaR5CR1R
rD1qFBAVfoQFiOH9uPJgMaoAuoQEisPHVcZDKcOv4wEg6/TInAIXBnEigtqvRzuy
oQIhAPcgZzUq3yVooAaoov8UbXPxqHlwo6GBMqnv20xzkf6ZAiEAsP4BnIaQTM8S
mvcpHZwQJdmdHHkGKAs37Dfxi67HbkUCIQCeZGliHXFa071Fp06ZeWlR2ADonTZz
rJBhdTe0v5pCeQIhAIZfkiGgGBX4cIuuckzEm43g9WMUjxP/0GlK39vIyihxAiEA
mymehFRT0MvqW5xAKAx7Pgkt8HVKwVhc2LwGKHE0DZM=
-----END RSA PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIIBVgIBADANBgkqhkiG9w0BAQEFAASCAUAwggE8AgEAAkEAqtt6qS5GTxVxGZYW
a0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO/Re1uwLKXdCjIoaGs4DLdG88rkzf
yK5dPQIDAQABAkBndyfNodcz9vEZpHkJHVGsPWoUEBV+hAWI4f248mAxqgC6hASK
w8dVxkMpw6/jASDr9MicAhcGcSKC2q9HO7KhAiEA9yBnNSrfJWigBqii/xRtc/Go
eXCjoYEyqe/bTHOR/pkCIQCw/gGchpBMzxKa9ykdnBAl2Z0ceQYoCzfsN/GLrsdu
RQIhAJ5kaWIdcVrTvUWnTpl5aVHYAOidNnOskGF1N7S/mkJ5AiEAhl+SIaAYFfhw
i65yTMSbjeD1YxSPE//QaUrf28jKKHECIQCbKZ6EVFPQy+pbnEAoDHs+CS3wdUrB
WFzYvAYocTQNkw==
-----END PRIVATE KEY-----

Loading…
Cancel
Save