[Bug 3013] New: Use the PKCS#8 formatted PEM files instead of insecure "traditional PEM"
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Thu May 23 01:37:20 AEST 2019
https://bugzilla.mindrot.org/show_bug.cgi?id=3013
Bug ID: 3013
Summary: Use the PKCS#8 formatted PEM files instead of insecure
"traditional PEM"
Product: Portable OpenSSH
Version: 8.0p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 3286
--> https://bugzilla.mindrot.org/attachment.cgi?id=3286&action=edit
generate PEM files in new PKCS#8 format
OpenSSL 1.0 introduced the following change according to the changelog
[1]:
> *) Make PKCS#8 the default write format for private keys, replacing the
> traditional format. This form is standardised, more secure and doesn't
> include an implicit MD5 dependency.
> [Steve Henson]
This is getting rid of of the old "traditional PEM" format and use the
standardized PKCS#8 one. Unfortunately, the users of the old API are
left with the old format, because the new format requires the use of a
new API.
I think OpenSSH should make use of this new format and use more secure
keys without leaving the users that need some interoperability (can not
use the new OpenSSH format) with the old (potentially) insecure format.
The attached patch modifies the PEM export function to use the new API
and generate PKCS#8 PEM files. They are readable by existing OpenSSL
API so this is the only change needed.
[1]
https://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=CHANGES;hb=refs/heads/OpenSSL_1_0_0-stable
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list