PKCS#1 key vs PKCS#8...

[sanjaya joshi]

Hello,

  I am using strongswan(v_4.5.3) for ipsec, that uses my X509 certificate and RSA private key.

If i use RSA private key(un-encrypted) that is PKCS#8 encoded, then strongswan is not able to load the key. But it works, if i use a traditional PKCS#1 encoded RSA key.

 

Could anyone explain, which one is a better recommendation (PKCS#1 or PKCS#8) ?

 

Regards,

Sanjaya

[Dr. Stephen Henson]

On Tue, Jun 04, 2013, sanjaya joshi wrote:

> Hello,
> I am using strongswan(v_4.5.3) for ipsec, that uses my X509 certificate
> and RSA private key.
> If i use RSA private key(un-encrypted) that is PKCS#8 encoded, then
> strongswan is not able to load the key. But it works, if i use a
> traditional PKCS#1 encoded RSA key.
>

That's strange. If it uses the standard PEM routines to read in a private key
OpenSSL should transparently handle PCKS#8 format.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

[sanjaya joshi]

Hi Steve,

  Thanks for the reply.

  Yes it should have been handled, but i am not sure about the strongswan implementation. Anyways, it's mentioned in their release notes that pkcs8 is supported  v_4.6.* onwards.

I have another question.

 

1. I use openssl 1.0.0, and i use RSA_generate_key_ex() to create RSA key. After that, i use PEM_write_PrivateKey() to write it to a file, and use further. By doing this, the written key is a PKCS#8 encoded key. Which API should be used instead of PEM_write_PrivateKey(), if i want a PKCS#1 encoded traditional key ?

Is it OK to use PEM_write_RSAPrivateKey() to get PKCS#1 encoded key in openssl 1.0.0 ?

 

Note: In openssl 0.9.8, PEM_write_PrivateKey() provides a PKCS#1 encoded key.

 

Regards,

Sanjaya

[mike pilato]

Remove