Support additional PBES2 encryption schemes
Not sure whether this is better categorized as a feature or a bug. Maybe more of a feature...
In 5.2.0 and earlier, encrypted PKCS#8 files using PBES2 and any non-3DES algorithm fail to unwrap in Strongswan. It is possible with a small code change to make other algorithms used with PBES2 like DES, RC2, Blowfish and AES accessible in Strongswan. Given openssl's use of PKCS#8 as the default write format for private keys, we may see more keys encrypted with PBES2 and AES. The other older ciphers (DES, RC2, Blowfish) probably won't be found very often, but the changes to enable these ciphers were easy to do once the work for AES was done. I have attached a proof-of-concept fix that will allow Strongswan to unwrap keys generated in this format, for example:
openssl genrsa 2048 | openssl pkcs8 -topk8 -v2 <CIPHER> -out some-p8-enc-key.pem
Where <CIPHER> can be des, des3, aes128, aes192, aes256, bf-cbc, rc2-40-cbc, rc2-64-cbc, or rc2-cbc (128-bit)
The blowfish support requires --enable-blowfish to be added at configure time.
This was tested using Strongswan 5.2.0 on CentOS 7
CentOS Linux release 7.0.1406 (Core)
Linux abbott 3.10.0-123.8.1.el7.x86_64 #1 SMP Mon Sep 22 19:06:58 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
asn1: Add OID for Blowfish CBC
The OID (184.108.40.206.4.1.3029.1.2) is technically not correct, the correct
one is (220.127.116.11.4.1.3029.1.1.2). Every other library or tool (like OpenSSL)
uses the incorrect one so we do the same.
#1 Updated by Tobias Brunner about 6 years ago
- Tracker changed from Issue to Feature
- Status changed from New to Feedback
- Assignee set to Tobias Brunner
I pushed a couple of commits to the pbes2-algs branch. I don't think we really need to provide support for the legacy RC2 algorithm, I added the Blowfish OID though.
The Blowfish OID (18.104.22.168.4.1.3029.1.2) is technically incorrect. The correct OID for Blowfish CBC has a one more 1 in there (22.214.171.124.4.1.3029.1.1.2). I saw that it is used incorrectly like that by several libraries/tools (e.g. OpenSSL and BouncyCastle) so this is probably due to an early typo and everybody has to do this incorrectly now.