Bug 1380642 - Cannot read encrypted PKCS#8 from OpenSSL
Summary: Cannot read encrypted PKCS#8 from OpenSSL
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gnutls
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Hubert Kario
Depends On: 1369484
TreeView+ depends on / blocked
Reported: 2016-09-30 08:50 UTC by Nikos Mavrogiannopoulos
Modified: 2017-08-01 08:48 UTC (History)
6 users (show)

Fixed In Version: gnutls-3.3.26-1.el7
Doc Type: Enhancement
Doc Text:
Feature: This adds support for decoding private keys encrypted using openssl version 1.1.0. Reason: OpenSSL 1.1.0 changed its default encoding format for PKCS#8 private keys, involving HMAC algorithms not handled in GnuTLS for PKCS#8 private key decoding. Result: This change ensures keys generated using OpenSSL 1.1.0 will be decoded by gnutls applications.
Clone Of: 1369484
Last Closed: 2017-08-01 08:48:22 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2292 0 normal SHIPPED_LIVE Moderate: gnutls security, bug fix, and enhancement update 2017-08-01 12:39:15 UTC

Description Nikos Mavrogiannopoulos 2016-09-30 08:50:27 UTC
+++ This bug was initially created as a clone of Bug #1369484 +++

GnuTLS (for example openconnect) can read PKCS#8 files generated by Fedora's OpenSSL 1.1.

It started at OpenSSL commit 8fc06e8860:

Specifically, changing the PRF to use SHA256. So this works:

$ apps/openssl pkcs8 -topk8 -in ~/privkey.pem -out ~/pk8-test.pem -v2 aes256 -passout pass:asdf -v2prf hmacWithSHA1

... and GnuTLS fails to parse this one:

$ apps/openssl pkcs8 -topk8 -in ~/privkey.pem -out ~/pk8-test.pem -v2 aes256 -passout pass:asdf -v2prf hmacWithSHA256


Comment 5 errata-xmlrpc 2017-08-01 08:48:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.