The following PKCS8 key (encrypted with password 'Rabbit' and using scrypt for password hashing) taken from RFC 7914 cannot be decrypted by OpenSSL:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHiME0GCSqGSIb3DQEFDTBAMB8GCSsGAQQB2kcECzASBAVNb3VzZQIDEAAAAgEI
AgEBMB0GCWCGSAFlAwQBKgQQyYmguHMsOwzGMPoyObk/JgSBkJb47EWd5iAqJlyy
+ni5ftd6gZgOPaLQClL7mEZc2KQay0VhjZm/7MbBUNbqOAXNM6OGebXxVp6sHUAL
iBGY/Dls7B1TsWeGObE0sS1MXEpuREuloZjcsNVcNXWPlLdZtkSH6uwWzR0PyG/Z
+ZXfNodZtd/voKlvLOw5B3opGIFaLkbtLZQwMiGtl42AS89lZg==
-----END ENCRYPTED PRIVATE KEY-----
$ ./apps/openssl version
OpenSSL 3.4.0-dev (Library: OpenSSL 3.4.0-dev )
$ git rev-parse HEAD
1977c00f00ad0546421a5ec0b40c1326aee4cddb
$ ./apps/openssl pkcs8 -in ~/key.pem -passin=pass:Rabbit
Enter Password:
Error decrypting key
C08477BD877F0000:error:030000AC:digital envelope routines:scrypt_alg:memory limit exceeded:providers/implementations/kdfs/scrypt.c:515:
C08477BD877F0000:error:030000AB:digital envelope routines:PKCS5_v2_scrypt_keyivgen_ex:illegal scrypt parameters:crypto/asn1/p5_scrypt.c:285:
This seems due to a mistake in RFC 7914 where it is claimed that the N parameter should be "less than 2^(128 * r / 8)". This error caused the earlier report of this issue (in #10003) to be closed as working as intended.
But it's pretty easy to see this is an error in the RFC (an errata was reported in 2020 but apparently never acted upon) when you consider the inclusion of test vectors (including both the PKCS8 file as well as another N=1048576, r=8, p=1 test in Appendix 12) that would violate this supposed restriction.
Golang x/crypto and BoringSSL both include the N=1048576 test from RFC 7914 (though in both cases commented out since it takes a while to run). Tarsnap/scrypt (written by the designer of scrypt and co-author of RFC 7914) also includes this test, as does the original scrypt paper (Appendix B).
OWASP recommends N=131072,r=8,p=1
The OpenSSL man page for scrypt itself suggests using N=1048576, r=8, p=1
The following PKCS8 key (encrypted with password 'Rabbit' and using scrypt for password hashing) taken from RFC 7914 cannot be decrypted by OpenSSL:
This seems due to a mistake in RFC 7914 where it is claimed that the N parameter should be "less than 2^(128 * r / 8)". This error caused the earlier report of this issue (in #10003) to be closed as working as intended.
But it's pretty easy to see this is an error in the RFC (an errata was reported in 2020 but apparently never acted upon) when you consider the inclusion of test vectors (including both the PKCS8 file as well as another
N=1048576, r=8, p=1test in Appendix 12) that would violate this supposed restriction.Golang x/crypto and BoringSSL both include the N=1048576 test from RFC 7914 (though in both cases commented out since it takes a while to run). Tarsnap/scrypt (written by the designer of scrypt and co-author of RFC 7914) also includes this test, as does the original scrypt paper (Appendix B).
OWASP recommends N=131072,r=8,p=1
The OpenSSL man page for scrypt itself suggests using N=1048576, r=8, p=1