diff options
| -rw-r--r-- | doc/manual/cli.rst | 6 | ||||
| -rw-r--r-- | src/build-data/oids.txt | 1 | ||||
| -rw-r--r-- | src/lib/asn1/oid_maps.cpp | 3 | ||||
| -rw-r--r-- | src/lib/pubkey/pkcs8.cpp | 4 | ||||
| -rw-r--r-- | src/tests/test_pubkey.cpp | 2 |
5 files changed, 10 insertions, 6 deletions
diff --git a/doc/manual/cli.rst b/doc/manual/cli.rst index c88e1ee90..b3379abbd 100644 --- a/doc/manual/cli.rst +++ b/doc/manual/cli.rst @@ -58,13 +58,13 @@ Public Key Cryptography - For DSA *params* specifies the DSA parameters. It defaults to dsa/botan/2048. - For EC algorithms *params* specifies the elliptic curve. It defaults to secp256r1. - The default *pbe* algorithm is "PBE-PKCS5v20(AES-256/CBC,SHA-256)". + The default *pbe* algorithm is "PBES2(AES-256/CBC,SHA-256)". - With PBE-PKCS5v20 you can select any CBC or GCM mode cipher which has an OID + With PBES2 scheme, you can select any CBC or GCM mode cipher which has an OID defined (such as 3DES, Camellia, SM4, Twofish or Serpent). However most other implementations support only AES or 3DES in CBC mode. You can also choose Scrypt instead of PBKDF2, by using "Scrypt" instead of the name of a hash - function, for example "PBE-PKCS5v20(AES-256/CBC,Scrypt)" + function, for example "PBES2(AES-256/CBC,Scrypt)" ``pkcs8 --pass-in= --pub-out --der-out --pass-out= --pbe= --pbe-millis=300 key`` Open a PKCS #8 formatted key at *key*. If *key* is encrypted, the passphrase diff --git a/src/build-data/oids.txt b/src/build-data/oids.txt index feea6ef7d..3dc544c2e 100644 --- a/src/build-data/oids.txt +++ b/src/build-data/oids.txt @@ -210,6 +210,7 @@ [pbe] 1.2.840.113549.1.5.12 = PKCS5.PBKDF2 +1.2.840.113549.1.5.13 = PBES2 1.2.840.113549.1.5.13 = PBE-PKCS5v20 1.3.6.1.4.1.11591.4.11 = Scrypt diff --git a/src/lib/asn1/oid_maps.cpp b/src/lib/asn1/oid_maps.cpp index eb4e570db..146dc88f7 100644 --- a/src/lib/asn1/oid_maps.cpp +++ b/src/lib/asn1/oid_maps.cpp @@ -1,7 +1,7 @@ /* * OID maps * -* This file was automatically generated by ./src/scripts/oids.py on 2018-08-01 +* This file was automatically generated by ./src/scripts/oids.py on 2018-08-23 * * All manual edits to this file will be lost. Edit the script * then regenerate this source file. @@ -316,6 +316,7 @@ std::unordered_map<std::string, OID> OIDS::load_str2oid_map() { "OpenPGP.Curve25519", OID({1,3,6,1,4,1,3029,1,5,1}) }, { "OpenPGP.Ed25519", OID({1,3,6,1,4,1,11591,15,1}) }, { "PBE-PKCS5v20", OID({1,2,840,113549,1,5,13}) }, + { "PBES2", OID({1,2,840,113549,1,5,13}) }, { "PKCS5.PBKDF2", OID({1,2,840,113549,1,5,12}) }, { "PKCS9.ChallengePassword", OID({1,2,840,113549,1,9,7}) }, { "PKCS9.ContentType", OID({1,2,840,113549,1,9,3}) }, diff --git a/src/lib/pubkey/pkcs8.cpp b/src/lib/pubkey/pkcs8.cpp index c91e436c7..f6d50256d 100644 --- a/src/lib/pubkey/pkcs8.cpp +++ b/src/lib/pubkey/pkcs8.cpp @@ -167,7 +167,9 @@ choose_pbe_params(const std::string& pbe_algo, const std::string& key_algo) } SCAN_Name request(pbe_algo); - if(request.algo_name() != "PBE-PKCS5v20" || request.arg_count() != 2) + if(request.arg_count() != 2) + throw Exception("Unsupported PBE " + pbe_algo); + if(request.algo_name() != "PBE-PKCS5v20" && request.algo_name() != "PBES2") throw Exception("Unsupported PBE " + pbe_algo); return std::make_pair(request.arg(0), request.arg(1)); } diff --git a/src/tests/test_pubkey.cpp b/src/tests/test_pubkey.cpp index 765e7e396..20bdc73ac 100644 --- a/src/tests/test_pubkey.cpp +++ b/src/tests/test_pubkey.cpp @@ -712,7 +712,7 @@ std::vector<Test::Result> PK_Key_Generation_Test::run() #if defined(BOTAN_HAS_PKCS5_PBES2) && defined(BOTAN_HAS_AES) && defined(BOTAN_HAS_SCRYPT) - test_pbe_roundtrip(result, key, "PBE-PKCS5v20(AES-128/CBC,Scrypt)", Test::random_password()); + test_pbe_roundtrip(result, key, "PBES2(AES-128/CBC,Scrypt)", Test::random_password()); #endif } |