[erlang-bugs] PEM encoding problems with PBES2-params in public_key
Dániel Szoboszlay
dszoboszlay@REDACTED
Wed May 7 11:04:50 CEST 2014
Hi,
I tried to export an RSA key in PEM format using PBES2 encryption (using Erlang/OTP 17.0). The first problem I noticed is a documentation issue: public_key states that
cipher_info() = {"RC2-CBC | "DES-CBC" | "DES-EDE3-CBC",
crypto:rand_bytes(8)} | 'PBES2-params'}
However the last option should be a #'PBES2-params'{} record, not an atom in reality. This record is not documented in neither the user’s guide nor the reference manual.
After reading some source code I came up with the following snippet, which almost works:
Rand = crypto:rand_bytes(8),
Params = #'PBES2-params'{
keyDerivationFunc =
#'PBES2-params_keyDerivationFunc'{
algorithm = ?'id-PBKDF2',
parameters =
#'PBKDF2-params'{
salt = {specified, Rand},
iterationCount = 1,
keyLength = 24,
prf =
#'PBKDF2-params_prf'{
algorithm = ?'id-hmacWithSHA1'
}
}
},
encryptionScheme =
#'PBES2-params_encryptionScheme'{
algorithm = ?'des-EDE3-CBC',
parameters = <<4, 8, Rand/binary>>
}
},
Entry = public_key:pem_entry_encode('RSAPrivateKey', RSAKey,
{{"DES-EDE3-CBC", Params}, "1234abcd"}),
public_key:pem_encode([Entry]).
The problem is that Entry will contain the #'PBES2-params'{} record, but pubkey_pem:encode_pem_entry/1 accepts only a salt (a binary) in that position.
As far as I can tell decoding PEM files with PBES2-params work as expected, but encoding doesn’t, and this limitation is not documented.
Regards,
Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20140507/d1a6f4e6/attachment.htm>
More information about the erlang-bugs
mailing list