Notes on future work to track OpenSSL's PKCS #1.5 -> PKCS #8 transition.

svn path=/trunk/; revision=5461
author: Rob Austein <sra@hactrn.net> 2013-08-23 17:12:28 +0000
committer: Rob Austein <sra@hactrn.net> 2013-08-23 17:12:28 +0000
commit: 2c9857c2c5ffa7686748b0e37a85635a8b13e290 (patch)
tree: 5f30ace921bf9c4406b3e9f9072657a0aa6a8676 /rpkid
parent: b51ca7cbff8a4b5c067ea5153e80752ad55ff83b (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/rpkid/ext/POW.c b/rpkid/ext/POW.c
index ef7be364..4546b1c4 100644
--- a/rpkid/ext/POW.c
+++ b/rpkid/ext/POW.c
@@ -4622,6 +4622,17 @@ asymmetric_object_pem_read_private_helper(PyTypeObject *type, BIO *bio, char *pa
  * because of optional the PEM password, so we just code the two PEM
  * read cases for private keys directly.  Other than the passphrase,
  * code is pretty much the same as the generic functions.
+ *
+ * It turns out that OpenSSL is moving away from its old raw PKCS #1.5
+ * private key format in favor of PKCS #8.  This makes sense, but it
+ * leaves us with a minor mess to track.  Many OpenSSL functions that
+ * originally expected PKCS #1.5 now also accept PKCS #8, so there's
+ * no tearing hurry about this, but at some point we might want to
+ * switch to writing PKCS #8.  It looks like this would be relatively
+ * straightforward: see functions i2d_PKCS8PrivateKey_bio() and
+ * PEM_write_bio_PKCS8PrivateKey(), and note that PKCS #8 supports
+ * encrypted private keys in DER format, so the DER methods should
+ * take a passphrase argument as the PEM methods do.
  */
 
 static char asymmetric_object_pem_read_private__doc__[] =
author	Rob Austein <sra@hactrn.net>	2013-08-23 17:12:28 +0000
committer	Rob Austein <sra@hactrn.net>	2013-08-23 17:12:28 +0000
commit	2c9857c2c5ffa7686748b0e37a85635a8b13e290 (patch)
tree	5f30ace921bf9c4406b3e9f9072657a0aa6a8676 /rpkid
parent	b51ca7cbff8a4b5c067ea5153e80752ad55ff83b (diff)