<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi,<div><br></div><div>I tried to export an RSA key in PEM format using PBES2 encryption (using Erlang/OTP 17.0). The first problem I noticed is a documentation issue: public_key states that</div><div><span style="font-family: Courier, monospace; font-size: medium;"><br></span></div><div><span style="font-family: Courier, monospace;">cipher_info() = {"RC2-CBC | "DES-CBC" | "DES-EDE3-CBC",</span></div><div><pre style="font-family: Courier, monospace;"> crypto:rand_bytes(8)} | <font color="#e32400">'PBES2-params'</font>}</pre><div>However the last option should be a <font face="Courier, monospace">#</font><span style="font-family: Courier, monospace;">'</span><font face="Courier, monospace">PBES2-params</font><span style="font-family: Courier, monospace;">'</span><span style="font-family: Courier, monospace;">{}</span> record, not an atom in reality. This record is not documented in neither the user’s guide nor the reference manual.</div></div><div><br></div><div>After reading some source code I came up with the following snippet, which almost works:</div><div><br></div><div><div><font face="Courier">Rand = crypto:rand_bytes(8),</font></div><div><font face="Courier">Params = #'PBES2-params'{</font></div><div><font face="Courier"> keyDerivationFunc =</font></div><div><font face="Courier"> #'PBES2-params_keyDerivationFunc'{</font></div><div><font face="Courier"> algorithm = ?'id-PBKDF2',</font></div><div><font face="Courier"> parameters =</font></div><div><font face="Courier"> #'PBKDF2-params'{</font></div><div><font face="Courier"> salt = {specified, Rand},</font></div><div><font face="Courier"> iterationCount = 1,</font></div><div><font face="Courier"> keyLength = 24,</font></div><div><font face="Courier"> prf =</font></div><div><font face="Courier"> #'PBKDF2-params_prf'{</font></div><div><font face="Courier"> algorithm = ?'id-hmacWithSHA1'</font></div><div><font face="Courier"> }</font></div><div><font face="Courier"> }</font></div><div><font face="Courier"> },</font></div><div><font face="Courier"> encryptionScheme =</font></div><div><font face="Courier"> #'PBES2-params_encryptionScheme'{</font></div><div><font face="Courier"> algorithm = ?'des-EDE3-CBC',</font></div><div><font face="Courier"> parameters = <<4, 8, Rand/binary>></font></div><div><font face="Courier"> }</font></div><div><font face="Courier"> },</font></div><div><font face="Courier">Entry = public_key:pem_entry_encode('RSAPrivateKey', RSAKey,</font></div><div><font face="Courier"> {{"DES-EDE3-CBC", Params}, "1234abcd"}),</font></div><div><font face="Courier" color="#e32400">public_key:pem_encode([Entry]).</font></div></div><div><br></div><div>The problem is that Entry will contain the <font face="Courier, monospace">#</font><span style="font-family: Courier, monospace;">'</span><font face="Courier, monospace">PBES2-params</font><span style="font-family: Courier, monospace;">'</span><span style="font-family: Courier, monospace;">{}</span> record, but <font face="Courier">pubkey_pem:encode_pem_entry/1</font> accepts only a salt (a binary) in that position.</div><div><br></div><div>As far as I can tell decoding PEM files with PBES2-params work as expected, but encoding doesn’t, and this limitation is not documented.</div><div><br></div><div>Regards,</div><div>Daniel</div></body></html>