<div dir="ltr">Hi Matt,<div><br></div><div>><span style="font-size:12.8px">If you *are* using </span><span style="font-size:12.8px">1.1.0 then the default digest was changed between 1.0.2 and 1.1.0.</span></div><div>Awesome thought, but I'm also using 1.0.2:</div><div><br></div><div><span style="font-variant-ligatures:no-common-ligatures;font-family:Menlo;font-size:11px">$ openssl version</span></div>
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">OpenSSL 1.0.2k-fips<span class="gmail-Apple-converted-space"> </span>26 Jan 2017</span></p><br>(I also tried adding -md md5 to the previous command, but I got the same error message).<br><br>Thanks,<br>Chris</div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jan 14, 2018 at 6:03 PM, Matt Caswell <span dir="ltr"><<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
On 14/01/18 15:26, Chris B wrote:<br>
> I'm trying to help someone recover his password for an older format<br>
> ethereum encrypted private key (EPK). My plan has been to use his best<br>
> guess at the password to brute force the actual password.<br>
><br>
> The EPK is a 132 character string, and it looks something like this:<br>
> U2FsdGV0X185M9YAa/<wbr>27pmEvFzC5pqLI4xWrA6ouGVCx0EeJ<wbr>9s8DzeGuBtYJPDCKDy0m80yvHdQYDM<wbr>Pa+Hwv2JPbuGJNoUMhFWpcQW1VF+<wbr>EAy0tYb7Wtv2+IRWZzcpsE8e2a<br>
><br>
> (That is: 128 ASCII digits and/or letters, plus three "+" and a "/".)<br>
><br>
> This article<br>
> (<a href="https://www.reddit.com/r/Bitcoin/comments/3gwdge/importing_old_encrypted_private_keys/" rel="noreferrer" target="_blank">https://www.reddit.com/r/<wbr>Bitcoin/comments/3gwdge/<wbr>importing_old_encrypted_<wbr>private_keys/</a>)<br>
> seems to describe a very similar EPK. The author of that post decrypted<br>
> their key with the following command:<br>
><br>
> openssl enc -in FILE_OF_KEYS -a -d -salt -aes256 -pass pass:"PASSWORD_HERE"<br>
><br>
> I have tried this same approach, but I'm getting an error:<br>
><br>
> EVP_DecryptFinal_ex:wrong final block length<br>
<br>
</span>What version of OpenSSL are you using. The quoted article was written 2<br>
years ago so definitely wasn't using OpenSSL 1.1.0. If you *are* using<br>
1.1.0 then the default digest was changed between 1.0.2 and 1.1.0. Old<br>
OpenSSL "enc" output defaulted to md5. The current default is sha256:<br>
<br>
<a href="https://www.openssl.org/docs/faq.html#USER3" rel="noreferrer" target="_blank">https://www.openssl.org/docs/<wbr>faq.html#USER3</a><br>
<br>
Try adding "-md md5" onto your command line.<br>
<span class="HOEnZb"><font color="#888888"><br>
Matt<br>
</font></span><span class="im HOEnZb"><br>
<br>
><br>
> Here's an example:<br>
><br>
> /usr/bin/openssl enc -d -aes-256-cbc -a -in enc_private_key.txt -out<br>
> recovered.key -pass pass:TheBig7ebowski<br>
><br>
> And here's the output:<br>
><br>
> bad decrypt<br>
><br>
> 140220549330848:error:<wbr>0606506D:digital envelope<br>
> routines:EVP_DecryptFinal_ex:<wbr>wrong final block length:evp_enc.c:581:<br>
><br>
> I'm not sure how to interpret that output. I could interpret it as:<br>
> o Your system for decrypting the password is perfect, but: this is not<br>
> the right password.<br>
> o There's something wrong with the EPK -- its length must be a multiple<br>
> of the AES block length.<br>
> o There's something wrong with the unencrypted private key -- its length<br>
> must be a multiple of the AES block length.<br>
> o Something else entirely<br>
><br>
> Can anyone help me understand how to interpret this error message?<br>
><br>
> Thanks,<br>
> Chris<br>
><br>
><br>
</span><div class="HOEnZb"><div class="h5">--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div>