Update pkcs8 defaults.

Update pkcs8 utility to use 256 bit AES using SHA256 by default. Update documentation. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
7 years ago · 8fc06e8860
parent 2ab851b779
commit 8fc06e8860
4 changed files with 31 additions and 27 deletions
--- a/4
+++ b/4
@ -4,6 +4,10 @@

 Changes between 1.0.2g and 1.1.0  [xx XXX xxxx]

+  *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
+     256 bit AES and HMAC with SHA256.
+     [Steve Henson]
+
  *) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
     [Andy Polyakov]

--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@ -177,6 +177,8 @@ int pkcs8_main(int argc, char **argv)
                           "%s: Unknown PRF algorithm %s\n", prog, opt_arg());
                goto opthelp;
            }
+            if (cipher == NULL)
+                cipher = EVP_aes_256_cbc();
            break;
        case OPT_ITER:
            if (!opt_int(opt_arg(), &iter))
@ -225,8 +227,8 @@ int pkcs8_main(int argc, char **argv)
        goto end;
    }

-    if ((pbe_nid == -1) && !cipher)
-        pbe_nid = NID_pbeWithMD5AndDES_CBC;
+    if ((pbe_nid == -1) && cipher == NULL)
+        cipher = EVP_aes_256_cbc();

    in = bio_open_default(infile, 'r', informat);
    if (in == NULL)
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@ -140,7 +140,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
    if ((prf_nid == -1) &&
        EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) {
        ERR_clear_error();
-        prf_nid = NID_hmacWithSHA1;
+        prf_nid = NID_hmacWithSHA256;
    }
    EVP_CIPHER_CTX_free(ctx);
    ctx = NULL;
--- a/doc/apps/pkcs8.pod
+++ b/doc/apps/pkcs8.pod
@ -57,7 +57,7 @@ private key is used.

 =item B<-outform DER|PEM>

-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.

 =item B<-in filename>
@ -100,28 +100,26 @@ code signing software used unencrypted private keys.

 =item B<-v2 alg>

-This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8
-private keys are encrypted with the password based encryption algorithm
-called B<pbeWithMD5AndDES-CBC> this uses 56 bit DES encryption but it
-was the strongest encryption algorithm supported in PKCS#5 v1.5. Using 
-the B<-v2> option PKCS#5 v2.0 algorithms are used which can use any
-encryption algorithm such as 168 bit triple DES or 128 bit RC2 however
-not many implementations support PKCS#5 v2.0 yet. If you are just using
-private keys with OpenSSL then this doesn't matter.
+This option sets the PKCS#5 v2.0 algorithm.

 The B<alg> argument is the encryption algorithm to use, valid values include
-B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.
+B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256>
+is used.

 =item B<-v2prf alg>

 This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value
-values would be B<hmacWithSHA256>. If this option isn't set then the default
-for the cipher is used or B<hmacWithSHA1> if there is no default.
+value would be B<hmacWithSHA256>. If this option isn't set then the default
+for the cipher is used or B<hmacWithSHA256> if there is no default.
+
+Some implementations may not support custom PRF algorithms and may require
+the B<hmacWithSHA1> option to work.

 =item B<-v1 alg>

-This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
-list of possible algorithms is included below.
+This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used.  Some
+older implementations may not support PKCS#5 v2.0 and may require this option.
+If not specified PKCS#5 v2.0 for is used.

 =item B<-engine id>

@ -145,6 +143,13 @@ sets the scrypt B<N>, B<r> or B<p> parameters.

 =head1 NOTES

+By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit
+AES with HMAC and SHA256 is used.
+
+Some older implementations do not support PKCS#5 v2.0 format and require
+the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak
+encryption algorithms such as 56 bit DES.
+
 The encrypted form of a PEM encode PKCS#8 files uses the following
 headers and footers:

@ -161,13 +166,6 @@ counts are more secure that those encrypted using the traditional
 SSLeay compatible formats. So if additional security is considered
 important the keys should be converted.

-The default encryption is only 56 bits because this is the encryption
-that most current implementations of PKCS#8 will support.
-
-Some software may use PKCS#12 password based encryption algorithms
-with PKCS#8 format private keys: these are handled automatically
-but there is no option to produce them.
-
 It is possible to write out DER encoded encrypted private keys in
 PKCS#8 format because the encryption details are included at an ASN1
 level whereas the traditional format includes them at a PEM level.
@ -228,8 +226,8 @@ Read a DER unencrypted PKCS#8 format private key:
 Convert a private key from any PKCS#8 format to traditional format:

 openssl pkcs8 -in pk8.pem -out key.pem
- 
-Convert a private key to PKCS#8 format, encrypting with AES-256 and with 
+
+Convert a private key to PKCS#8 format, encrypting with AES-256 and with
 one million iterations of the password:

 openssl pkcs8 -in raw.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem
@ -259,7 +257,7 @@ the old format at present.
 =head1 SEE ALSO

 L<dsa(1)>, L<rsa(1)>, L<genrsa(1)>,
-L<gendsa(1)> 
+L<gendsa(1)>

 =head1 HISTORY