<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 12/28/2017 18:31, Salz, Rich via
openssl-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:F984D00C-5F57-482B-898F-558B346BF613@akamai.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New",serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier",serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal">It is hard to follow this thread with all
the indenting.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">> If I
take a PEM-encoded RSA private key file and convert it to
binary (using b64decode) what I get is not the same thing as I
get from "openssl rsa -inform pem -in key -outform der -out
key.der".<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">How do you
convert it? Did you strip off the ---BEGIN and END tags?
Then it absolutely should have been the same thing.</p>
</div>
</blockquote>
Yes, I certainly did. And it's not the same thing.<br>
<br>
Proof:<br>
<br>
root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x # diff key.pem test.key<br>
0a1<br>
> -----BEGIN PRIVATE KEY-----<br>
26a28<br>
> -----END PRIVATE KEY-----<br>
root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x # ls -al<br>
total 16<br>
drwxr-xr-x 2 root wheel 512 Dec 28 18:36 .<br>
drwx------ 3 hdmcp wheel 512 Dec 28 18:33 ..<br>
-rw------- 1 root wheel 1654 Dec 28 18:33 key.pem<br>
-rw------- 1 root wheel 1708 Dec 28 18:35 test.key<br>
<br>
Only difference is the barrier lines in the test.key file (which
have to be there for openssl or it throws up.) Now we run:<br>
<br>
root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x # openssl rsa -inform pem
-in test.key -outform der -out key.der<br>
writing RSA key<br>
root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x # b64decode -r key.pem
> key.bin <br>
root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x # ls -la<br>
total 24<br>
drwxr-xr-x 2 root wheel 512 Dec 28 18:37 .<br>
drwx------ 3 hdmcp wheel 512 Dec 28 18:33 ..<br>
-rw-r--r-- 1 root wheel 1219 Dec 28 18:37 key.bin<br>
-rw-r--r-- 1 root wheel 1193 Dec 28 18:37 key.der<br>
-rw------- 1 root wheel 1654 Dec 28 18:33 key.pem<br>
-rw------- 1 root wheel 1708 Dec 28 18:35 test.key<br>
root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x #<br>
<br>
Those output files (key.bin and key.der) are not the same -- they're
different within the first few bytes on examination with od -t x1,
not just on length (e.g. trash at the end)<br>
<br>
If I load key.der into a binary buffer and run d2i_AutoPrivateKey
against it I get a valid EVP_PKEY buffer back and no error.<br>
<br>
I'll chase this down further, but I think the easiest way may be to
just run DER files, since those work... :-)<br>
<br>
<blockquote type="cite"
cite="mid:F984D00C-5F57-482B-898F-558B346BF613@akamai.com">
<div class="WordSection1">
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">An internal
structure, such as an RSA object, can be converted to DER
using d2i_RSA. DER is useful because it is a “flat” format,
whereas the internal object is useful in the C code. Make
sense? DER files are useful if you already know what the
filetype is. The d2i_ and i2d_ functions convert between
internal (C structures, with pointers etc) to DER encoding.
They basically work on buffers, only.</p>
</div>
</blockquote>
<br>
<blockquote type="cite"
cite="mid:F984D00C-5F57-482B-898F-558B346BF613@akamai.com">
<div class="WordSection1">
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">PEM files are
base64 encoded DER, with BEGIN and END tags that specify what
the middle-part is. It is useful because it is human
readable. Also the PEM_read_xxxx functions will check what is
expected to what the file says it is.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Most objects
have PEM_read and PEM_write functions as well. They are not
necessarily obvious from scanning the header files, because
they are declared and implemented as macro’s, as it’s common
code with just a pointer to an internal description of what
the ASN1/DER looks like.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">The
documentation on the master branch does a much better, and
more complete, job of explaining this.<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">The function I
think you want is PEM_read_PrivateKey.<o:p></o:p></p>
</div>
</blockquote>
I'll look in there; my assumption was that I could trivially convert
a PEM file into an internal DER representation by stripping the flag
lines from the front and rear and then decoding the base64 piece.....<br>
<br>
Thanks; I'll figger it out :-)<br>
<br>
<div class="moz-signature">-- <br>
Karl Denninger<br>
<a href="mailto:karl@denninger.net">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size="-2"><i>[S/MIME encrypted email preferred]</i></font>
</div>
</body>
</html>