[Botan-devel] Unable to read a rsa private key generated by openssl

Pete Toich torcher72 at yahoo.com
Mon Jun 21 13:53:08 EDT 2010


I sent the mail below a week ago but just realized that I got a bounce message because it was too big.  I removed the attachment and now it is located in a public dropbox.  It can be referenced at:



----- Forwarded Message ----
From: Pete Toich <torcher72 at yahoo.com>
To: Botan development list <botan-devel at randombit.net>
Sent: Mon, June 14, 2010 11:40:15 AM
Subject: Re: [Botan-devel] Unable to read a rsa private key generated by openssl


Thanks for you all of your responses.

A colleague of mine did an in depth comparison of the two formats (botan vs openssh).  I attached a document which he created.  He believes that there is an extra header in the botan pem file as compared to the openssh version.

Not sure that you want to do anything about it per se, but thought I would pass along the information.  I could see though that being directly compatible with openssh would have its benefits.


----- Original Message ----
From: Jack Lloyd <lloyd at randombit.net>
To: botan-devel at randombit.net
Sent: Fri, June 11, 2010 6:22:35 PM
Subject: Re: [Botan-devel] Unable to read a rsa private key generated by openssl

On Fri, Jun 11, 2010 at 02:53:10PM -0700, Pete Toich wrote:
> Hi,
> When I try to use the following code to read a pem file generated by openssl (syntax below),
>  I get the exception: Exception: Botan: Decoding error: PKCS #8 private key decoding failed
> Looking at the pem file generated by openssl and by the rsa_kgen botan example, the file sizes are different.  Diving deeper there is
> a extra header on the rsa_kgen version that is not present in the openssl version.  
> Is it possible to open RSA keys with botan that were created by openssl?

The encrypted keys, no; for whatever reason OpenSSL continues to use
some strange and I think OpenSSL-specific format for this. You can
convert them to PKCS #8 format keys using

openssl pkcs8 -topk8 -in rsa_key.pem

(Add -nocrypt if you don't want to encrypt the PKCS #8 file).

[I'm sure it's possible to write code using botan that could decrypt
the file, of course, but I haven't bothered digging through the
OpenSSL code to try figuring out what the actual format is]

The unencrypted keys can be loaded by picking apart the PEM layer and
then feeding it into the BER decoder by hand, which is awkward but
works. I've attached an example.


More information about the botan-devel mailing list