Bug 1380642

Summary: Cannot read encrypted PKCS#8 from OpenSSL
Product: Red Hat Enterprise Linux 7 Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: gnutlsAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED ERRATA QA Contact: Hubert Kario <hkario>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: dwmw2, extras-qa, hkario, nmavrogi, szidek, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnutls-3.3.26-1.el7 Doc Type: Enhancement
Doc Text:
Feature: This adds support for decoding private keys encrypted using openssl version 1.1.0. Reason: OpenSSL 1.1.0 changed its default encoding format for PKCS#8 private keys, involving HMAC algorithms not handled in GnuTLS for PKCS#8 private key decoding. Result: This change ensures keys generated using OpenSSL 1.1.0 will be decoded by gnutls applications.
Story Points: ---
Clone Of: 1369484 Environment:
Last Closed: 2017-08-01 08:48:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1369484    
Bug Blocks:    

Description Nikos Mavrogiannopoulos 2016-09-30 08:50:27 UTC
+++ This bug was initially created as a clone of Bug #1369484 +++

GnuTLS (for example openconnect) can read PKCS#8 files generated by Fedora's OpenSSL 1.1.

It started at OpenSSL commit 8fc06e8860:
https://github.com/openssl/openssl/commit/8fc06e8860

Specifically, changing the PRF to use SHA256. So this works:

$ apps/openssl pkcs8 -topk8 -in ~/privkey.pem -out ~/pk8-test.pem -v2 aes256 -passout pass:asdf -v2prf hmacWithSHA1

... and GnuTLS fails to parse this one:

$ apps/openssl pkcs8 -topk8 -in ~/privkey.pem -out ~/pk8-test.pem -v2 aes256 -passout pass:asdf -v2prf hmacWithSHA256



https://gitlab.com/gnutls/gnutls/commit/13893550aa266d55bd5ec6ef395ae48f528b24d5

Comment 5 errata-xmlrpc 2017-08-01 08:48:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2292