0 length passwords not accepted when importing PKCS8 encrypted key

[engineercrypto]

One of my colleagues reports that 0 length passwords are not accepted when importing a PKCS8 encrypted key. To see why, go to pem_pkey.c:116 (in branch 1.0.2 stable). Notice that the comparison for password length is <= 0 rather than < 0, which disallows 0 length passwords.

Note that the PKCS 8 and PKCS 5 specifications do not disallow 0 length passwords, so this is a bug.

[levitte]

It's been like this since the beginning of time, or at least as far as I can look through history (d02b48c is the import of SSLeay 0.8.1b, see crypto/pem/pem_lib.c). I'm not sure I'd call that a bug visavi the specs, unless the specs forbid applications and libraries from rejecting 0 length passphrases.

Of course, we can change this, and it's a fairly simple change. What says the rest of @openssl?

[richsalz]

pkcs8 has the -nocrypt flag, I would prefer we just require that to be used.

[levitte]

Ah, thanks for the reminder

[levitte]

@engineercrypto, is that a satisfactory answer?

[engineercrypto]

That’s not the same thing. Consider the following: M266952RPEwN4:~ harold_stuart$ ssh-keygen -t rsa -f test.me Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in test.me. Your public key has been saved in test.me.pub. The key fingerprint is: SHA256:RESclLufqZQh99ky9EAMIcZUhlvJfckUpvwCBHSRsgQ harold_stuart@M266952RPEwN4 The key's randomart image is: +---[RSA 2048]----+ | E=*X&O o+o | | .=*O+.o+ | | . =o.=. | | o..o . | | . S.+ . | | o.= * | | o.=oo | | . +o | | .. | +----[SHA256]-----+ M266952RPEwN4:~ harold_stuart$ openssl pkcs8 -topk8 -v2 des3 -in test -out test.new Can't open input file test M266952RPEwN4:~ harold_stuart$ openssl pkcs8 -topk8 -v2 des3 -in test.me -out test.new Enter Encryption Password: Verifying - Enter Encryption Password: M266952RPEwN4:~ harold_stuart$ openssl pkcs8 -in test.new -out test.newer -nocrypt Error decrypting key 2761:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/crypto/pem/pem_lib.c:648:Expecting: PRIVATE KEY Note that there’s no way to decrypt a key that’s been legitimately made with a blank password. Furthermore, the spec does not prohibit a blank password, so it should be allowed. From: Richard Levitte <notifications@github.com> Reply-To: openssl/openssl <reply@reply.github.com> Date: Saturday, November 11, 2017 at 2:11 AM To: openssl/openssl <openssl@noreply.github.com> Cc: Harold Stuart <Harold_Stuart@symantec.com>, Mention <mention@noreply.github.com> Subject: [EXT] Re: [openssl/openssl] 0 length passwords not accepted when importing PKCS8 encrypted key (#4716) @engineercrypto<https://clicktime.symantec.com/a/1/XQjYr22sWNCjWFAIONR8KpZxxxo82GuGC0okphp1kjU=?d=Vaq4NRF22CaVZRobwbeWJUBbQ11bUelQulfcwQYbHgZnrD24ByGfWLGbWJ3zynyssZGiyC2N8jWu903HQVktqsnkxUDwiZ7hnmwMCX8KLRvnQ_KaoOYiECQeiN49Q1oVSloA59W1vAu8GnDpq2x5JiD_byHQgpLBxYU3RRc1Ti8Zqn0TOk0GfwIyoU3dmywPMvzpHOs-ABFFXLkDFbdLhtAnxHAB2XSrGKF_SetLd7xFc4LsmrWmYkn2yDwXmXI70-WPnvy8pgoKIpS1Dz91QuMh5SY5K_Cqk8uWmG71JuwgM0gLJjrvDgarOXPvGpTzgO6VWmLOkLzcj79w9wKCGbUr0n_gVqJlkjFTkeLR3Ezv5UQWd_4f7Oke1WKOSXytusrTZ4MV0yT5dLX5eH6COefrt_hYyUHQKamGQuk6L5dHNAchKGQ7mqSteEtj7C_gqVWTXEOocQ_NoyYmUzlzEdIBOQNLbrh4urE68ENhapLWol7NlmnC_08ASSbCHfOmqzfYQjingYHZtSMLbw%3D%3D&u=https%3A%2F%2Fgithub.com%2Fengineercrypto>, is that a satisfactory answer? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://clicktime.symantec.com/a/1/BNGj9ir7q7p4lYOPUZweQSQe8U_bAq6H0ktEe8AxNe8=?d=Vaq4NRF22CaVZRobwbeWJUBbQ11bUelQulfcwQYbHgZnrD24ByGfWLGbWJ3zynyssZGiyC2N8jWu903HQVktqsnkxUDwiZ7hnmwMCX8KLRvnQ_KaoOYiECQeiN49Q1oVSloA59W1vAu8GnDpq2x5JiD_byHQgpLBxYU3RRc1Ti8Zqn0TOk0GfwIyoU3dmywPMvzpHOs-ABFFXLkDFbdLhtAnxHAB2XSrGKF_SetLd7xFc4LsmrWmYkn2yDwXmXI70-WPnvy8pgoKIpS1Dz91QuMh5SY5K_Cqk8uWmG71JuwgM0gLJjrvDgarOXPvGpTzgO6VWmLOkLzcj79w9wKCGbUr0n_gVqJlkjFTkeLR3Ezv5UQWd_4f7Oke1WKOSXytusrTZ4MV0yT5dLX5eH6COefrt_hYyUHQKamGQuk6L5dHNAchKGQ7mqSteEtj7C_gqVWTXEOocQ_NoyYmUzlzEdIBOQNLbrh4urE68ENhapLWol7NlmnC_08ASSbCHfOmqzfYQjingYHZtSMLbw%3D%3D&u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fissues%2F4716%23issuecomment-343654257>, or mute the thread<https://clicktime.symantec.com/a/1/AkmvO3pUwjVF9dFOo8a-lBHI063Fk5X3kOKLbSs4NAg=?d=Vaq4NRF22CaVZRobwbeWJUBbQ11bUelQulfcwQYbHgZnrD24ByGfWLGbWJ3zynyssZGiyC2N8jWu903HQVktqsnkxUDwiZ7hnmwMCX8KLRvnQ_KaoOYiECQeiN49Q1oVSloA59W1vAu8GnDpq2x5JiD_byHQgpLBxYU3RRc1Ti8Zqn0TOk0GfwIyoU3dmywPMvzpHOs-ABFFXLkDFbdLhtAnxHAB2XSrGKF_SetLd7xFc4LsmrWmYkn2yDwXmXI70-WPnvy8pgoKIpS1Dz91QuMh5SY5K_Cqk8uWmG71JuwgM0gLJjrvDgarOXPvGpTzgO6VWmLOkLzcj79w9wKCGbUr0n_gVqJlkjFTkeLR3Ezv5UQWd_4f7Oke1WKOSXytusrTZ4MV0yT5dLX5eH6COefrt_hYyUHQKamGQuk6L5dHNAchKGQ7mqSteEtj7C_gqVWTXEOocQ_NoyYmUzlzEdIBOQNLbrh4urE68ENhapLWol7NlmnC_08ASSbCHfOmqzfYQjingYHZtSMLbw%3D%3D&u=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAgAJp4f0caXIBpEtmjAr9qNotAhmP_Zwks5s1XLGgaJpZM4QaBmJ>.

[levitte]

Looking at this again, I see that @engineercrypto is right that it's not satisfactory, as what they are looking for is to have an encryption key derived from a 0-length password rather than not encrypting at all. There's a nuance between the two.

I see no harm at all making the desired change.

[levitte]

Actually, looking again at the code, the 1 length limitation is kinda silly in the cases where we ask PEM_def_callback for a minimum of 0 characters!