[openssl-users] Question as to best options....
Karl Denninger
karl at denninger.net
Fri Dec 29 01:17:36 UTC 2017
On 12/28/2017 18:31, Salz, Rich via openssl-users wrote:
>
> It is hard to follow this thread with all the indenting.
>
>
>
> > If I take a PEM-encoded RSA private key file and convert it to
> binary (using b64decode) what I get is not the same thing as I get
> from "openssl rsa -inform pem -in key -outform der -out key.der".
>
> How do you convert it? Did you strip off the ---BEGIN and END tags?
> Then it absolutely should have been the same thing.
>
Yes, I certainly did. And it's not the same thing.
Proof:
root at Test-MCP:/usr/local/etc/HD-MCP/ssl/x # diff key.pem test.key
0a1
> -----BEGIN PRIVATE KEY-----
26a28
> -----END PRIVATE KEY-----
root at Test-MCP:/usr/local/etc/HD-MCP/ssl/x # ls -al
total 16
drwxr-xr-x 2 root wheel 512 Dec 28 18:36 .
drwx------ 3 hdmcp wheel 512 Dec 28 18:33 ..
-rw------- 1 root wheel 1654 Dec 28 18:33 key.pem
-rw------- 1 root wheel 1708 Dec 28 18:35 test.key
Only difference is the barrier lines in the test.key file (which have to
be there for openssl or it throws up.) Now we run:
root at Test-MCP:/usr/local/etc/HD-MCP/ssl/x # openssl rsa -inform pem -in
test.key -outform der -out key.der
writing RSA key
root at Test-MCP:/usr/local/etc/HD-MCP/ssl/x # b64decode -r key.pem >
key.bin
root at Test-MCP:/usr/local/etc/HD-MCP/ssl/x # ls -la
total 24
drwxr-xr-x 2 root wheel 512 Dec 28 18:37 .
drwx------ 3 hdmcp wheel 512 Dec 28 18:33 ..
-rw-r--r-- 1 root wheel 1219 Dec 28 18:37 key.bin
-rw-r--r-- 1 root wheel 1193 Dec 28 18:37 key.der
-rw------- 1 root wheel 1654 Dec 28 18:33 key.pem
-rw------- 1 root wheel 1708 Dec 28 18:35 test.key
root at Test-MCP:/usr/local/etc/HD-MCP/ssl/x #
Those output files (key.bin and key.der) are not the same -- they're
different within the first few bytes on examination with od -t x1, not
just on length (e.g. trash at the end)
If I load key.der into a binary buffer and run d2i_AutoPrivateKey
against it I get a valid EVP_PKEY buffer back and no error.
I'll chase this down further, but I think the easiest way may be to just
run DER files, since those work... :-)
> An internal structure, such as an RSA object, can be converted to DER
> using d2i_RSA. DER is useful because it is a “flat” format, whereas
> the internal object is useful in the C code. Make sense? DER files
> are useful if you already know what the filetype is. The d2i_ and
> i2d_ functions convert between internal (C structures, with pointers
> etc) to DER encoding. They basically work on buffers, only.
>
> PEM files are base64 encoded DER, with BEGIN and END tags that specify
> what the middle-part is. It is useful because it is human readable.
> Also the PEM_read_xxxx functions will check what is expected to what
> the file says it is.
>
> Most objects have PEM_read and PEM_write functions as well. They are
> not necessarily obvious from scanning the header files, because they
> are declared and implemented as macro’s, as it’s common code with just
> a pointer to an internal description of what the ASN1/DER looks like.
>
> The documentation on the master branch does a much better, and more
> complete, job of explaining this.
>
> The function I think you want is PEM_read_PrivateKey.
>
I'll look in there; my assumption was that I could trivially convert a
PEM file into an internal DER representation by stripping the flag lines
from the front and rear and then decoding the base64 piece.....
Thanks; I'll figger it out :-)
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171228/cbbf4a2b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171228/cbbf4a2b/attachment.bin>
More information about the openssl-users
mailing list