[gnutls-devel] GnuTLS | certtool: generated PKCS8 private keys inconsistent with RFC8018 (#1632)

[Read-only notification of GnuTLS library development activities]

Samuel Chiang commented: https://gitlab.com/gnutls/gnutls/-/issues/1632#note_2273441446


Thanks, really appreciate the fix! 

I did a bit more research into this and did find a sentence where `NULL` is explicitly called out for `id-hmacWithSHA1` in [RFC8018 B.1.1](https://datatracker.ietf.org/doc/html/rfc8018#appendix-B.1.1).
>  The parameters field associated with this OID in an
   AlgorithmIdentifier shall have type NULL.  This object identifier is
   employed in the object set PBKDF2-PRFs (Appendix A.2).

Unfortunately, there doesn't seem to be anything concrete mentioned for other `hmacWithSHA*`s in the same RFC :disappointed:. OpenSSL has historically paired a `NULL` in `parameters` for other `hmacWithSHA*`s though, so it would be great to have better interoperability. 

I also found this interesting [newer RFC9579](https://datatracker.ietf.org/doc/rfc9579/) that was meant to be an amendment upon RFC8018. Appendix B in this RFC does have examples where other `hmacWithSHA*`s follow the same pattern as `hmacWithSHA1`'s specification. There's no concrete wording like RFC8018 however and this RFC seems to be more directed towards PKCS12.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1632#note_2273441446
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20241224/7517b019/attachment-0001.html>