[openssl-users] d2i_RSAPrivateKey not working on a private key
Benjamin Kaduk
bkaduk at akamai.com
Wed Oct 14 03:12:10 UTC 2015
Hi Frank,
Thanks for these thoughts.
On 10/13/2015 09:57 PM, Frank Migge wrote:
> Hi David,
>
> I didn't spot the error in your code. But since d2i_RSAPrivateKey()
> fails on the DER data, how about a workaround? If your remaining code
> works fine, you could extract the RSA key from the EVP_PKEY object
> (which you are getting with d2i_PrivateKey), e.g.
>
> RSA *rsakey;
> rsakey = EVP_PKEY_get1_RSA(privkey); // this reads EVP_PKEY, best
> to test before to ensure it is RSA
>
> if (RSA_check_key(rsakey)) { printf("RSA key is valid.\n"); }
> else { printf("Error validating RSA key.\n"); }
>
> RSA_print_fp(stdout, rsakey, 3);
> ...
>
> Alternatively, building a test case around d2i_RSAPrivateKey() to see
> if the DER format is valid, e.g. converting the PEM key into DER using
> the OpenSSL commandline, and binary-compare with the programs DER data.
I worked with David some offline, and it seems that the problematic file
was the DER encoding of a PKCS8_PRIV_KEY_INFO, with the pkey ASN1_ANY
element being an octet string containing the DER encoding of the actual
RSAPrivateKey object (checked using openssl asn1parse). So it seems
that calling d2i_RSAPrivateKey() on it directly would necessarily fail,
since that ASN.1 decoder has no provision to skip the bits in the PKCS#8
container.
I think we're in agreement that the EVP interfaces are friendlier to
use, at this point, though.
-Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151013/90ea5d3c/attachment.html>
More information about the openssl-users
mailing list