/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/evp.h>
#include <openssl/pkcs12.h>
+#define STR(a) XSTR(a)
+#define XSTR(a) #a
+
typedef enum OPTION_choice {
OPT_COMMON,
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
#endif
OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT,
OPT_TRADITIONAL,
+ OPT_SALTLEN,
OPT_R_ENUM, OPT_PROV_ENUM
} OPTION_CHOICE;
{"traditional", OPT_TRADITIONAL, '-', "use traditional format private key"},
{"iter", OPT_ITER, 'p', "Specify the iteration count"},
{"noiter", OPT_NOITER, '-', "Use 1 as iteration count"},
-
+ {"saltlen", OPT_SALTLEN, 'p', "Specify the salt length (in bytes)"},
+ {OPT_MORE_STR, 0, 0, "Default: 8 (For PBE1) or 16 (for PBE2)"},
#ifndef OPENSSL_NO_SCRYPT
OPT_SECTION("Scrypt"),
{"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"},
#ifndef OPENSSL_NO_SCRYPT
long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
#endif
+ int saltlen = 0; /* A value of zero chooses the default */
prog = opt_init(argc, argv, pkcs8_options);
while ((o = opt_next()) != OPT_EOF) {
goto opthelp;
break;
#endif
+ case OPT_SALTLEN:
+ if (!opt_int(opt_arg(), &saltlen))
+ goto opthelp;
+ break;
}
}
if (cipher) {
#ifndef OPENSSL_NO_SCRYPT
if (scrypt_N && scrypt_r && scrypt_p)
- pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, 0, NULL,
+ pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, saltlen, NULL,
scrypt_N, scrypt_r, scrypt_p);
else
#endif
- pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 0, NULL,
+ pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, saltlen, NULL,
pbe_nid);
} else {
- pbe = PKCS5_pbe_set(pbe_nid, iter, NULL, 0);
+ pbe = PKCS5_pbe_set(pbe_nid, iter, NULL, saltlen);
}
if (pbe == NULL) {
BIO_printf(bio_err, "Error setting PBE algorithm\n");
setup("test_pkcs8");
-plan tests => 9;
+plan tests => 15;
ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
'-in', srctop_file('test', 'certs', 'pc5-key.pem'),
"Check the default size of the PBKDF2 PARAM 'salt length' is 16");
SKIP: {
- skip "scrypt is not supported by this OpenSSL build", 2
+ skip "scrypt is not supported by this OpenSSL build", 4
if disabled("scrypt");
ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
'-in', 'scrypt_default_saltlen.pem',
'-offset', '34', '-length', '18']))),
"Check the default size of the SCRYPT PARAM 'salt length' = 16");
+
+ ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
+ '-in', srctop_file('test', 'certs', 'pc5-key.pem'),
+ '-scrypt',
+ '-saltlen', '8',
+ '-out', 'scrypt_64bit_saltlen.pem',
+ '-passout', 'pass:password']))),
+ "Convert a private key to PKCS5 v2.0 format using scrypt with a salt length of 8 bytes");
+
+# We expect the output to be of the form "0:d=0 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:3C1147976A2B61CA"
+# i.e. 2 byte header + 8 byte salt.
+ ok(run(app(([ 'openssl', 'asn1parse',
+ '-in', 'scrypt_64bit_saltlen.pem',
+ '-offset', '34', '-length', '10']))),
+ "Check the size of the SCRYPT PARAM 'salt length' is 8");
}
SKIP: {
- skip "legacy provider is not supported by this OpenSSL build", 2
+ skip "legacy provider is not supported by this OpenSSL build", 4
if disabled('legacy') || disabled("des");
ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
'-in', 'pbe1.pem',
'-offset', '19', '-length', '10']))),
"Check the default size of the PBE PARAM 'salt length' = 8");
+
+ ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
+ '-in', srctop_file('test', 'certs', 'pc5-key.pem'),
+ '-v1', "PBE-MD5-DES",
+ '-saltlen', '16',
+ '-provider', 'legacy',
+ '-provider', 'default',
+ '-out', 'pbe1_128bitsalt.pem',
+ '-passout', 'pass:password']))),
+ "Convert a private key to PKCS5 v1.5 format using pbeWithMD5AndDES-CBC with the 16 byte saltlen");
+
+ ok(run(app(([ 'openssl', 'asn1parse',
+ '-in', 'pbe1_128bitsalt.pem',
+ '-offset', '19', '-length', '18']))),
+ "Check the size of the PBE PARAM 'salt length' = 16");
};
+
+ok(run(app(([ 'openssl', 'pkcs8', '-topk8',
+ '-in', srctop_file('test', 'certs', 'pc5-key.pem'),
+ '-saltlen', '8',
+ '-out', 'pbkdf2_64bit_saltlen.pem',
+ '-passout', 'pass:password']))),
+ "Convert a private key to PKCS5 v2.0 format using pbkdf2 with a salt length of 8 bytes");
+
+# We expect the output to be of the form "0:d=0 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:3C1147976A2B61CA"
+# i.e. 2 byte header + 8 byte salt.
+ok(run(app(([ 'openssl', 'asn1parse',
+ '-in', 'pbkdf2_64bit_saltlen.pem',
+ '-offset', '34', '-length', '10']))),
+ "Check the size of the PBKDF2 PARAM 'salt length' is 8");
+
+
SKIP: {
skip "SM2, SM3 or SM4 is not supported by this OpenSSL build", 3
if disabled("sm2") || disabled("sm3") || disabled("sm4");