What is the output format of `openssl pkcs12`? How can I make it output a PKCS#1 private key?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I have a `Certificates.p12` file that I wish to convert to a `certificates.pem` containing an unencrypted private key in PKCS#1 format. I have previously been able to do this by running:

    openssl pkcs12 -in Certificates.p12 -out certificates.pem -nodes -clcerts

The resulting `certificates.pem` file has a `PRIVATE KEY` PEM block, as expected. However, the library I'm using does not understand this PEM block, because it expects it to be a PKCS#1 private key. The ASN.1 structure of a PKCS#1 private key is defined by RFC 3447 as:

    RSAPrivateKey ::= SEQUENCE {
        version           Version,
        modulus           INTEGER,  -- n
        publicExponent    INTEGER,  -- e
        privateExponent   INTEGER,  -- d
        prime1            INTEGER,  -- p
        prime2            INTEGER,  -- q
        exponent1         INTEGER,  -- d mod (p-1)
        exponent2         INTEGER,  -- d mod (q-1)
        coefficient       INTEGER,  -- (inverse of q) mod p
        otherPrimeInfos   OtherPrimeInfos OPTIONAL
    }

The bad private key block in my `certificates.pem` does not have this PKCS#1 structure! Instead, its ASN.1 structure looks like this:

    $ openssl asn1parse -i -in badprivatekey.pem
        0:d=0  hl=4 l=1212 cons: SEQUENCE
        4:d=1  hl=2 l=   1 prim:  INTEGER           :00
        7:d=1  hl=2 l=  13 cons:  SEQUENCE
        9:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption
       20:d=2  hl=2 l=   0 prim:   NULL
       22:d=1  hl=4 l=1190 prim:  OCTET STRING      [HEX DUMP]:308204A...very long hex...

What is the above format? The documentation for `openssl pkcs12` only vaguely says that its output is "written in PEM format." I need a stronger guarantee that the private key PEM block is in PKCS#1 format.

The strange thing is that `openssl rsa` understands the strange format of the "bad" private key, and can convert it to the right PKCS#1 structure with:

    openssl rsa -in badprivatekey.pem -out goodprivatekey.pem

Although `openssl rsa` understands the input file, the tool seems unable to tell me _why_, i.e. what the format of the input file is.

What is the output format of `openssl pkcs12`? Specifically what is the format of its private key block? How do I make `openssl pkcs12` output a correct PKCS#1 private key?

Thanks,
Jim
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux