CryptoSys PKI Toolkit Known Issues with CryptoSys PKI Toolkit

This page details known issues with the CryptoSys PKI Toolkit Version 3.2.

  1. Cannot turn off "show progress" option when creating RSA keys using PBES2 with des-EDE3-CBC

Issue 1: Cannot turn off "show progress" option when creating RSA keys using PBES2 with des-EDE3-CBC

SYMPTOMS

When creating a new RSA key pair using the pkcs5PBES2 and des-EDE3-CBC option (PKI_PBE_PBES2+PKI_BC_DESEDE3), you can't turn off the "show progress" option.

For example, these examples, in C and C# respectively, will display the progress console even though the PKI_KEYGEN_INDICATE flag is not used:

lRet = RSA_MakeKeys(pubkeyfile, prikeyfile, 1024, PKI_RSAEXP_EQ_65537, 64, 3000, 
    szPasswd, "", 0, PKI_PBE_PBES2|PKI_BC_TDEA);
n = Rsa.MakeKeys(pubkeyFile, prikeyFile, 1024, Rsa.PublicExponent.Exp_EQ_65537,
    3000, "password", CipherAlgorithm.Tdea, HashAlgorithm.Sha1, Rsa.Format.Binary, false);

RESOLUTION

As a work around, do not specify TDEA explicity. Instead, rely on the fact that the default block cipher algorithm for PBES2 is TDEA.
lRet = RSA_MakeKeys(pubkeyfile, prikeyfile, 1024, PKI_RSAEXP_EQ_65537, 64, 3000, 
    szPasswd, "", 0, PKI_PBE_PBES2);
n = Rsa.MakeKeys(pubkeyFile, prikeyFile, 1024, Rsa.PublicExponent.Exp_EQ_65537,
    3000, "password", 0, HashAlgorithm.Sha1, Rsa.Format.Binary, false);

The revised instructions above should produce a PKCS8 encrypted private key file similar to the following.

SEQUENCE {
  SEQUENCE {
    OBJECT IDENTIFIER pkcs5PBES2 (1 2 840 113549 1 5 13)
    SEQUENCE {
      SEQUENCE {
        OBJECT IDENTIFIER pkcs5PBKDF2 (1 2 840 113549 1 5 12)
        SEQUENCE {
          OCTET STRING C5 C1 9F 22 E7 44 3F BC
          INTEGER 3000
          }
        }
      SEQUENCE {
        OBJECT IDENTIFIER des-EDE3-CBC (1 2 840 113549 3 7)
        OCTET STRING FB F3 48 24 AF 80 65 65
        }
      }
    }
  OCTET STRING
    8C 31 DD 8F 7E 05 A7 F4 60 26 1C 4E E1 2F BB 63
    BC A2 9E 54 FD 1E 17 E1 D1 C8 6E 65 10 13 2F 43
    68 F9 5C A5 6B 45 EC A1 8C 66 77 38 2F BF DC 76
    FE A8 A9 4C 44 E7 AC 20 91 DC A0 A5 06 EA EB 88
    5F 32 68 62 BF 30 BE 1E 92 81 A4 18 73 2A A4 8A
    44 8A 01 3E 09 23 16 EF 1A F8 4F DF C9 16 4B F8
    68 41 3F 67 88 0C 91 FD D4 48 86 75 AF C8 DC D0
    52 56 33 F6 F8 3C 28 7D 32 11 0B A7 21 26 82 D9
            [ Another 224 bytes skipped ]
  }

STATUS

Will be fixed in the next release (with a different value for PKI_KEYGEN_INDICATE).

MORE INFORMATION

This particular option was added in the latest version as part of a large expansion of security options and this one slipped between the cracks.

The flag PKI_KEYGEN_INDICATE for "display the progress console" is the same as the explicit flag for Triple DES PKI_BC_DESEDE. Sorry, we goofed. This is a downside of using too many flags...

Thanks to John Gillen for bringing this to our attention.

 

This page last updated 3 May 2008