On 08/01/2021 00:59, Mathias Ricken wrote:
> How do I sell openssl to use more salt when generating the private key?
Unfortunately the pkcs8 tool does not support setting a custom salt
length and always uses the default length of 64 bits.
The best I can offer you is a hack of the tool to change the default to
128 bits (16 bytes):
diff --git a/apps/pkcs8.c b/apps/pkcs8.c
index 205536560a..14700e5d12 100644
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -229,7 +229,7 @@ int pkcs8_main(int argc, char **argv)
scrypt_N, scrypt_r,
scrypt_p);
else
#endif
- pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 0, NULL,
+ pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 16, NULL,
pbe_nid);
} else {
pbe = PKCS5_pbe_set(pbe_nid, iter, NULL, 0);
Matt
