[openssl-users] d2i_RSAPrivateKey not working on a private key

David Lobron dlobron at akamai.com
Fri Oct 9 15:33:07 UTC 2015


Hello openssl people,

I am trying to read a private key of a certificate into memory using d2i_RSAPrivateKey.  I'm able to read the certificate without a problem, but when I pass the private key to d2i_RSAPrivateKey, it fails to parse.  I do not see an error message or errno being set - d2i_RSAPrivateKey simply returns NULL.  I've generated a self-signed cert which reproduces the problem, and I've attached it to this message (this is a throwaway cert, not in use for anything, so I'm knowingly sending the private key).  The command I used to generate this cert and its key was:

openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days 36500 -nodes -outform PEM

I have another cert where the private key *is* parseable by d2i_RSAPrivateKey.  I printed out both certs from the command line, and compared them.  They appear almost identical.  The only difference I see is that when I print the attached unparseable cert, the Signature Algorithm section has 8 lines of hex.  In the parseable cert, I see 15 lines of hex.  Both certs use sha1WithRSAEncryption as the algorithm, with 1024 bits.

Can anyone help me understand why the private key in the attached cert is not readable by d2i_RSAPrivateKey?  I'm running these tests on a Mac, but the same thing happens on Ubuntu Linux.

Thank you,

David

Printout of the attached cert, which fails to parse with d2i_RSAPrivateKey:

MacBook-Air:self_signed dlobron$ openssl x509 -in cert.1024.combined -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17702003413458844255 (0xf5aa2650b7f77a5f)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Massachusetts, L=Cambridge, O=Akamai Technologies, OU=KMI, CN=akamai.normandy_authority.client_gateway_ca.1/emailAddress=dlobron at akamai.com
        Validity
            Not Before: Oct  8 15:47:30 2015 GMT
            Not After : Jan 16 15:47:30 2016 GMT
        Subject: C=US, ST=Massachusetts, L=Cambridge, O=Akamai Technologies, OU=KMI, CN=akamai.normandy_authority.client_gateway_ca.1/emailAddress=dlobron at akamai.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c2:33:df:d8:cb:c9:6e:a4:98:f0:b7:b1:06:51:
                    77:f8:6c:36:4b:f3:ab:fc:09:ab:98:13:d5:0a:03:
                    63:31:c4:ce:6f:02:12:b5:c4:4c:83:17:39:c2:b8:
                    27:89:a5:80:56:36:72:19:8b:9a:dd:e5:e2:22:60:
                    53:96:f9:4d:c0:f1:c6:06:5f:1b:95:de:b7:8e:d2:
                    ef:e8:ff:84:81:73:45:c9:a5:52:6d:af:8e:6a:16:
                    bf:23:97:66:5e:d8:1f:0e:e9:1b:d3:03:e3:cd:4c:
                    02:2f:68:f0:a5:70:a3:90:f5:19:8d:f5:6b:d1:87:
                    e7:82:39:f9:09:1b:ee:56:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                2F:D9:17:38:F0:9E:03:2C:57:E5:FF:20:24:BC:F1:AA:2C:35:AB:D5
            X509v3 Authority Key Identifier: 
                keyid:2F:D9:17:38:F0:9E:03:2C:57:E5:FF:20:24:BC:F1:AA:2C:35:AB:D5

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         5d:5c:c0:10:c3:60:10:c5:d4:30:cf:90:41:32:d9:73:1f:03:
         66:a5:3b:ca:e2:99:2f:89:10:0e:4d:d6:b3:1d:97:ae:0a:54:
         46:0b:a8:51:02:97:c6:41:32:16:db:7c:77:28:e8:df:73:70:
         a0:01:73:b6:84:90:b5:a8:b7:54:53:7d:a9:cd:81:33:35:6d:
         58:5e:ba:e2:7d:34:7a:32:c9:fd:4f:07:18:75:a7:53:3d:61:
         1b:98:7a:e6:92:5b:74:39:e1:ab:b2:6a:51:4a:56:c5:99:1e:
         d7:7a:7a:b6:32:e8:ca:f2:33:bc:3f:d5:3c:3f:87:2a:9f:ab:
         37:c8


-------------- next part --------------
A non-text attachment was scrubbed...
Name: cert.1024.combined
Type: application/octet-stream
Size: 2124 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151009/2c9c633d/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2863 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151009/2c9c633d/attachment-0001.bin>


More information about the openssl-users mailing list