Re: Question as to best options....

[Karl Denninger <karl@xxxxxxxxxxxxx>]

On 12/28/2017 18:31, Salz, Rich via openssl-users wrote:

It is hard to follow this thread with all the indenting.

 

>  If I take a PEM-encoded RSA private key file and convert it to binary (using b64decode) what I get is not the same thing as I get from "openssl rsa -inform pem -in key -outform der -out key.der".

How do you convert it?  Did you strip off the ---BEGIN and END tags?  Then it absolutely should have been the same thing.

Yes, I certainly did.  And it's not the same thing.

Proof:

root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x # diff key.pem test.key
0a1
> -----BEGIN PRIVATE KEY-----
26a28
> -----END PRIVATE KEY-----
root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x # ls -al
total 16
drwxr-xr-x  2 root   wheel   512 Dec 28 18:36 .
drwx------  3 hdmcp  wheel   512 Dec 28 18:33 ..
-rw-------  1 root   wheel  1654 Dec 28 18:33 key.pem
-rw-------  1 root   wheel  1708 Dec 28 18:35 test.key

Only difference is the barrier lines in the test.key file (which have to be there for openssl or it throws up.)  Now we run:

root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x # openssl rsa -inform pem -in test.key -outform der -out key.der
writing RSA key
root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x # b64decode -r key.pem > key.bin     
root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x # ls -la
total 24
drwxr-xr-x  2 root   wheel   512 Dec 28 18:37 .
drwx------  3 hdmcp  wheel   512 Dec 28 18:33 ..
-rw-r--r--  1 root   wheel  1219 Dec 28 18:37 key.bin
-rw-r--r--  1 root   wheel  1193 Dec 28 18:37 key.der
-rw-------  1 root   wheel  1654 Dec 28 18:33 key.pem
-rw-------  1 root   wheel  1708 Dec 28 18:35 test.key
root@Test-MCP:/usr/local/etc/HD-MCP/ssl/x #

Those output files (key.bin and key.der) are not the same -- they're different within the first few bytes on examination with od -t x1, not just on length (e.g. trash at the end)

If I load key.der into a binary buffer and run d2i_AutoPrivateKey against it I get a valid EVP_PKEY buffer back and no error.

I'll chase this down further, but I think the easiest way may be to just run DER files, since those work... :-)

An internal structure, such as an RSA object, can be converted to DER using d2i_RSA.  DER is useful because it is a “flat” format, whereas the internal object is useful in the C code.  Make sense?  DER files are useful if you already know what the filetype is.  The d2i_ and i2d_ functions convert between internal (C structures, with pointers etc) to DER encoding.  They basically work on buffers, only.

PEM files are base64 encoded DER, with BEGIN and END tags that specify what the middle-part is.  It is useful because it is human readable. Also the PEM_read_xxxx functions will check what is expected to what the file says it is.

Most objects have PEM_read and PEM_write functions as well.  They are not necessarily obvious from scanning the header files, because they are declared and implemented as macro’s, as it’s common code with just a pointer to an internal description of what the ASN1/DER looks like.

The documentation on the master branch does a much better, and more complete, job of explaining this.

The function I think you want is PEM_read_PrivateKey.

I'll look in there; my assumption was that I could trivially convert a PEM file into an internal DER representation by stripping the flag lines from the front and rear and then decoding the base64 piece.....

Thanks; I'll figger it out :-)

--
Karl Denninger
karl@xxxxxxxxxxxxx
The Market Ticker
[S/MIME encrypted email preferred]

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users