Update pkcs8 defaults.

Update pkcs8 utility to use 256 bit AES using SHA256 by default.

Update documentation.
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

CHANGES

@@ -4,6 +4,10 @@
 
  Changes between 1.0.2g and 1.1.0  [xx XXX xxxx]
 
+  *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
+     256 bit AES and HMAC with SHA256.
+     [Steve Henson]
+
   *) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
      [Andy Polyakov]
 

apps/pkcs8.c

@@ -177,6 +177,8 @@ int pkcs8_main(int argc, char **argv)
                            "%s: Unknown PRF algorithm %s\n", prog, opt_arg());
                 goto opthelp;
             }
+            if (cipher == NULL)
+                cipher = EVP_aes_256_cbc();
             break;
         case OPT_ITER:
             if (!opt_int(opt_arg(), &iter))
@@ -225,8 +227,8 @@ int pkcs8_main(int argc, char **argv)
         goto end;
     }
 
-    if ((pbe_nid == -1) && !cipher)
-        pbe_nid = NID_pbeWithMD5AndDES_CBC;
+    if ((pbe_nid == -1) && cipher == NULL)
+        cipher = EVP_aes_256_cbc();
 
     in = bio_open_default(infile, 'r', informat);
     if (in == NULL)

crypto/asn1/p5_pbev2.c

@@ -140,7 +140,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
     if ((prf_nid == -1) &&
         EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) {
         ERR_clear_error();
-        prf_nid = NID_hmacWithSHA1;
+        prf_nid = NID_hmacWithSHA256;
     }
     EVP_CIPHER_CTX_free(ctx);
     ctx = NULL;

doc/apps/pkcs8.pod

@@ -57,7 +57,7 @@ private key is used.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -100,28 +100,26 @@ code signing software used unencrypted private keys.
 
 =item B<-v2 alg>
 
-This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8
-private keys are encrypted with the password based encryption algorithm
-called B<pbeWithMD5AndDES-CBC> this uses 56 bit DES encryption but it
-was the strongest encryption algorithm supported in PKCS#5 v1.5. Using 
-the B<-v2> option PKCS#5 v2.0 algorithms are used which can use any
-encryption algorithm such as 168 bit triple DES or 128 bit RC2 however
-not many implementations support PKCS#5 v2.0 yet. If you are just using
-private keys with OpenSSL then this doesn't matter.
+This option sets the PKCS#5 v2.0 algorithm.
 
 The B<alg> argument is the encryption algorithm to use, valid values include
-B<des>, B<des3> and B<rc2>. It is recommended that B<des3> is used.
+B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256>
+is used.
 
 =item B<-v2prf alg>
 
 This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value
-values would be B<hmacWithSHA256>. If this option isn't set then the default
-for the cipher is used or B<hmacWithSHA1> if there is no default.
+value would be B<hmacWithSHA256>. If this option isn't set then the default
+for the cipher is used or B<hmacWithSHA256> if there is no default.
+
+Some implementations may not support custom PRF algorithms and may require
+the B<hmacWithSHA1> option to work.
 
 =item B<-v1 alg>
 
-This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
-list of possible algorithms is included below.
+This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used.  Some
+older implementations may not support PKCS#5 v2.0 and may require this option.
+If not specified PKCS#5 v2.0 for is used.
 
 =item B<-engine id>
 
@@ -145,6 +143,13 @@ sets the scrypt B<N>, B<r> or B<p> parameters.
 
 =head1 NOTES
 
+By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit
+AES with HMAC and SHA256 is used.
+
+Some older implementations do not support PKCS#5 v2.0 format and require
+the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak
+encryption algorithms such as 56 bit DES.
+
 The encrypted form of a PEM encode PKCS#8 files uses the following
 headers and footers:
 
@@ -161,13 +166,6 @@ counts are more secure that those encrypted using the traditional
 SSLeay compatible formats. So if additional security is considered
 important the keys should be converted.
 
-The default encryption is only 56 bits because this is the encryption
-that most current implementations of PKCS#8 will support.
-
-Some software may use PKCS#12 password based encryption algorithms
-with PKCS#8 format private keys: these are handled automatically
-but there is no option to produce them.
-
 It is possible to write out DER encoded encrypted private keys in
 PKCS#8 format because the encryption details are included at an ASN1
 level whereas the traditional format includes them at a PEM level.
@@ -228,8 +226,8 @@ Read a DER unencrypted PKCS#8 format private key:
 Convert a private key from any PKCS#8 format to traditional format:
 
  openssl pkcs8 -in pk8.pem -out key.pem
- 
-Convert a private key to PKCS#8 format, encrypting with AES-256 and with 
+
+Convert a private key to PKCS#8 format, encrypting with AES-256 and with
 one million iterations of the password:
 
  openssl pkcs8 -in raw.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem
@@ -259,7 +257,7 @@ the old format at present.
 =head1 SEE ALSO
 
 L<dsa(1)>, L<rsa(1)>, L<genrsa(1)>,
-L<gendsa(1)> 
+L<gendsa(1)>
 
 =head1 HISTORY