Greetings Viktor!
On 9/26/24 11:35, Viktor Dukhovni wrote:
On Tue, Sep 24, 2024 at 01:43:43PM -0400, Robert Moskowitz wrote:
Right now I want to use openssl command line to be able to take as
input an unecrypted PEM Keyfile (EdDSA) and output it password
protected.
I have created the keyfile in python using:
f.write(private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
))
I have found that to have written it encrypted, that should be
encryption_algorithm=serialization.BestAvailableEncryption(b'xyz'))
But I want to be able to work this out step by step, adding the encryption
of the PEM keyfile.
Are you looking for help with the Python API, or the OpenSSL
command-line? Perhaps there's a better forum for help with the
Python API?
I am working the Python API angle separately. But I realized I could
shortcut that work by encrypting the PEM key files I already made and
then stepping into the Python stuff. I made some good headway on that
last night now that I have key files properly encrypted. This way I
also "know" that what I am doing in Python is using aes128, as that is a
little vague. At least to me.
Thus the desire to take an existing unprotected PEM and put out a password
protected one that I can read in to another script.
Looked all over in the docs and asked Dr. Google, but my search foo is still
weak and not finding this out.
Would someone point the way for me? :)
The "openssl genpkey" command has a "-<cipher>" option, where <cipher>
is the name of the one of the EVP encryption algorithms, say
"aes-128-cbc", ...
$ openssl genpkey -algorithm ed25519
I learned this some 2 years ago on this list. Got that. But making
keyfiles is no longer the challenge it is working with encrypted ones.
So I needed encrypted ones. Well I COULD have made fresh ones with
openSSL, but what is the fun of that?
So I am moving forward once more.
Thank you all for your time reading my missives and such. See you
around the water cooler.
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIByaUJVa2ZMoXYz/xPpQfQle6Shg0bjzXy5ZN6IxqKEB
-----END PRIVATE KEY-----
$ openssl genpkey -algorithm ed25519 -aes-128-cbc
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIGbMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAhcqj+s5kb1CQICCAAw
DAYIKoZIhvcNAgkFADAdBglghkgBZQMEAQIEEBH0i7XariZNZwrYvnp0/n8EQLw/
syV97eF0VjcwYRcvM8uuC7MuJZb/q7xCDACD5gHWK0st0QVb7PlJpSA3e3PJ4bae
nyzLRcituSx1KLMLXrM=
-----END ENCRYPTED PRIVATE KEY-----
Or in two steps:
$ openssl genpkey -algorithm ed25519 | openssl pkey -aes-128-cbc
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIGbMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAgUKiNRdwGFmgICCAAw
DAYIKoZIhvcNAgkFADAdBglghkgBZQMEAQIEEJx+3f5TpnYWL9QeDsK4kuwEQDkI
IWwhA9pdGDcKHCtNY2veeOw+hndZUNEWof1mvWOHn27Cj5TlOdS4Gc8NRlCH3Rae
dLAPESBcQnBSyMRIYLY=
-----END ENCRYPTED PRIVATE KEY-----
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/2fe9518a-9c52-476f-a7d5-05adab5ec650%40htt-consult.com.
