Cryptography Reference
In-Depth Information
no way to communicate the required initialization vector and encryption algo-
rithm, OpenSSL saves you from shooting yourself in the foot and always stores
a DER-encoded key fi le unencrypted, even if you ask for encryption.
A more standardized format,
PKCS #8
, describes essentially the same infor-
mation. Although OpenSSL supports the format, there's no way to generate a
key fi le in PKCS #8 format on an initial certifi cate request. You can convert an
OpenSSL to a PKCS #8 private key via:
[jdavies@localhost ssl]$ openssl pkcs8 -topk8 -in key.der -out key.pkcs8 \
-outform der
Enter pass phrase for key.der:
Enter Encryption Password:
Verifying - Enter Encryption Password:
This, by default, encrypts the fi le using DES; other encryption options
are possible, of course. The output is a triply nested ASN.1 DER encoded
structure. At the bottom layer of nesting is, of course, the PKCS #1-formatted
private key, which the
parse_private_key
routine of Listing 7-14 can parse
correctly. That structure is bit-string encoded and wrapped up as shown in
Figure 7-1 in another structure that includes an OID identifying the type of
private key — for example, to allow a non-RSA private key, such as DSA, to
be included instead.
OID_RSAPrivateKey
bit string containing ASN.1 DER-encoded private key
modulus (n)
public exponent (e)
private exponent (d)
prime1 (p)
prime2 (q)
exponent1 (d % p-1)
exponent2 (e % q-1)
coefficient (q^-1 %p)
Figure 7-1:
PKCS #8 contents
Search WWH ::
Custom Search