diff options
| author | lloyd <[email protected]> | 2012-05-31 18:19:43 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2012-05-31 18:19:43 +0000 |
| commit | b82642c328d98f2aaa1ac17aa0999e69e7152ae8 (patch) | |
| tree | a2a181c26709bd7995d519c9148c6f0bc06f143f /src/pubkey/pkcs8.cpp | |
| parent | 75db296a459a9e25b112207707cc5e26a6f2b872 (diff) | |
Add new PBKDF interface that takes a std::chrono::milliseconds and
runs the KDF until at least that much time has passed, then returns
the number of interations used.
New parameter to the PKCS8 encryption routines which tells how long to
run the PBKDF. Defaults to 200 milliseconds, which is short enough
that it is unlikely to bother anyone but long enough to provide quite
reasonable security against cracking attacks. On a Core i7-860, 200
ms with PBKDF2/SHA-1 runs about 180K to 220K iterations (compare with
previous default of 10K).
New PBE interface, remove new_params/set_key and require all inputs
including the passphrase to be passed to the constructor.
Drop the PGP S2K as it is pretty weird and not really useful outside
of a full PGP implementation.
Drop the deprecated PKCS8::encrypt_key and PKCS8::encode functions.
Diffstat (limited to 'src/pubkey/pkcs8.cpp')
| -rw-r--r-- | src/pubkey/pkcs8.cpp | 29 |
1 files changed, 14 insertions, 15 deletions
diff --git a/src/pubkey/pkcs8.cpp b/src/pubkey/pkcs8.cpp index baf6d1250..23c021fdb 100644 --- a/src/pubkey/pkcs8.cpp +++ b/src/pubkey/pkcs8.cpp @@ -90,16 +90,12 @@ secure_vector<byte> PKCS8_decode( if(is_encrypted) { - DataSource_Memory params(pbe_alg_id.parameters); - std::unique_ptr<PBE> pbe(get_pbe(pbe_alg_id.oid, params)); - std::pair<bool, std::string> pass = get_passphrase(); if(pass.first == false) break; - pbe->set_key(pass.second); - Pipe decryptor(pbe.release()); + Pipe decryptor(get_pbe(pbe_alg_id.oid, pbe_alg_id.parameters, pass.second)); decryptor.process_msg(key_data); key = decryptor.read_all(); @@ -155,17 +151,19 @@ std::string PEM_encode(const Private_Key& key) /* * BER encode a PKCS #8 private key, encrypted */ -secure_vector<byte> BER_encode(const Private_Key& key, - RandomNumberGenerator& rng, - const std::string& pass, - const std::string& pbe_algo) +std::vector<byte> BER_encode(const Private_Key& key, + RandomNumberGenerator& rng, + const std::string& pass, + std::chrono::milliseconds msec, + const std::string& pbe_algo) { const std::string DEFAULT_PBE = "PBE-PKCS5v20(SHA-1,AES-256/CBC)"; - std::unique_ptr<PBE> pbe(get_pbe(((pbe_algo != "") ? pbe_algo : DEFAULT_PBE))); - - pbe->new_params(rng); - pbe->set_key(pass); + std::unique_ptr<PBE> pbe( + get_pbe(((pbe_algo != "") ? pbe_algo : DEFAULT_PBE), + pass, + msec, + rng)); AlgorithmIdentifier pbe_algid(pbe->get_oid(), pbe->encode_params()); @@ -177,7 +175,7 @@ secure_vector<byte> BER_encode(const Private_Key& key, .encode(pbe_algid) .encode(key_encrytor.read_all(), OCTET_STRING) .end_cons() - .get_contents(); + .get_contents_unlocked(); } /* @@ -186,12 +184,13 @@ secure_vector<byte> BER_encode(const Private_Key& key, std::string PEM_encode(const Private_Key& key, RandomNumberGenerator& rng, const std::string& pass, + std::chrono::milliseconds msec, const std::string& pbe_algo) { if(pass == "") return PEM_encode(key); - return PEM_Code::encode(PKCS8::BER_encode(key, rng, pass, pbe_algo), + return PEM_Code::encode(PKCS8::BER_encode(key, rng, pass, msec, pbe_algo), "ENCRYPTED PRIVATE KEY"); } |