Dev news

Commit bb68815067 for openssl.org

commit bb6881506742d0d64836021f3ca9e571d5252f21
Author: Jakub Zelenka <jakub.zelenka@openssl.foundation>
Date:   Mon Jun 22 23:42:08 2026 +0200

    apps: cover the pkcs8 -inform/-outform DER options

    Only PEM input/output was exercised.  Add a subtest that round trips a
    key through DER, for both unencrypted and encrypted PKCS#8.

    Assisted-by: Claude:claude-opus-4-8

    Reviewed-by: Neil Horman <nhorman@openssl.org>
    Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
    MergeDate: Thu Jun 25 07:24:30 2026
    (Merged from https://github.com/openssl/openssl/pull/31653)

diff --git a/test/recipes/25-test_pkcs8.t b/test/recipes/25-test_pkcs8.t
index 50cb01a407..bd7224459b 100644
--- a/test/recipes/25-test_pkcs8.t
+++ b/test/recipes/25-test_pkcs8.t
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips is_nofips/;

 setup("test_pkcs8");

-plan tests => 18;
+plan tests => 19;

 my $pc5_key = srctop_file('test', 'certs', 'pc5-key.pem');

@@ -128,6 +128,38 @@ ok(run(app(([ 'openssl', 'asn1parse',
    "Check the size of the PBKDF2 PARAM 'salt length' is 8");


+subtest 'PKCS#8 DER inform/outform round trip' => sub {
+    plan tests => 6;
+
+    # PEM -> DER, unencrypted PKCS#8 (exercises -outform DER)
+    ok(run(app(['openssl', 'pkcs8', '-topk8', '-nocrypt',
+                '-in', $pc5_key, '-outform', 'DER',
+                '-out', 'p8-nocrypt.der'])),
+       "write unencrypted PKCS#8 in DER form");
+    # DER -> PEM (exercises -inform DER)
+    ok(run(app(['openssl', 'pkcs8', '-nocrypt',
+                '-inform', 'DER', '-in', 'p8-nocrypt.der',
+                '-out', 'p8-roundtrip.pem'])),
+       "read unencrypted PKCS#8 from DER form");
+    # PEM -> DER again, the result must match the original DER output
+    ok(run(app(['openssl', 'pkcs8', '-topk8', '-nocrypt',
+                '-in', 'p8-roundtrip.pem', '-outform', 'DER',
+                '-out', 'p8-roundtrip.der'])),
+       "re-encode the round-tripped key to DER");
+    is(compare('p8-nocrypt.der', 'p8-roundtrip.der'), 0,
+       "DER output is identical after a PEM/DER round trip");
+
+    # The same for an encrypted PKCS#8 structure
+    ok(run(app(['openssl', 'pkcs8', '-topk8',
+                '-in', $pc5_key, '-outform', 'DER',
+                '-out', 'p8-enc.der', '-passout', 'pass:password'])),
+       "write encrypted PKCS#8 in DER form");
+    ok(run(app(['openssl', 'pkcs8',
+                '-inform', 'DER', '-in', 'p8-enc.der',
+                '-out', 'p8-dec.pem', '-passin', 'pass:password'])),
+       "read encrypted PKCS#8 from DER form");
+};
+
 SKIP: {
     skip "SM2, SM3 or SM4 is not supported by this OpenSSL build", 3
         if disabled("sm2") || disabled("sm3") || disabled("sm4");