[Botan-devel] Unable to read a rsa private key generated by openssl

Jack Lloyd lloyd at randombit.net
Mon Jun 21 13:58:27 EDT 2010


Hi Pete,

I'm confused by the comment 'I couldn't find a way to get OpenSSL to
parse the PEM file[...]'

At least OpenSSL 0.9.8's rsa command understands an X.509-style public
key:

(motoko ~/net.randombit.botan/doc/examples)$ ./rsa_kgen 1024
(motoko ~/net.randombit.botan/doc/examples)$ cat rsapub.pem 
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnrRxKVJP2YcmajZTSQGTpTZz2
AkR6jJpv8uVCL4fFHckb+T94AAaRFBSQn21ai0gbxKFTqzXPHmBYF0r8KSc7vvm8
HNwfk6VW9e9hFd9sKX6JU3pLb/0vCAhdXiX2xW8k0Z4T7aWtusVWyuNjWbLGZTNk
72HtF+XcNlRipFM6twIDAQAB
-----END PUBLIC KEY-----
(motoko ~/net.randombit.botan/doc/examples)$ openssl rsa -pubin -in rsapub.pem -text -noout
Modulus (1024 bit):
    00:e7:ad:1c:4a:54:93:f6:61:c9:9a:8d:94:d2:40:
    64:e9:4d:9c:f6:02:44:7a:8c:9a:6f:f2:e5:42:2f:
    87:c5:1d:c9:1b:f9:3f:78:00:06:91:14:14:90:9f:
    6d:5a:8b:48:1b:c4:a1:53:ab:35:cf:1e:60:58:17:
    4a:fc:29:27:3b:be:f9:bc:1c:dc:1f:93:a5:56:f5:
    ef:61:15:df:6c:29:7e:89:53:7a:4b:6f:fd:2f:08:
    08:5d:5e:25:f6:c5:6f:24:d1:9e:13:ed:a5:ad:ba:
    c5:56:ca:e3:63:59:b2:c6:65:33:64:ef:61:ed:17:
    e5:dc:36:54:62:a4:53:3a:b7
Exponent: 65537 (0x10001)

-Jack

On Mon, Jun 21, 2010 at 10:53:08AM -0700, Pete Toich wrote:
> Hi, 
> 
> I sent the mail below a week ago but just realized that I got a bounce message because it was too big.  I removed the attachment and now it is located in a public dropbox.  It can be referenced at:
> 
> http://dl.dropbox.com/u/1857403/Annotated_RSA_Private_Key_PEM_file_from_Botan-Rev_4.pdf
> 
> Pete
> 
> 
> ----- Forwarded Message ----
> From: Pete Toich <torcher72 at yahoo.com>
> To: Botan development list <botan-devel at randombit.net>
> Sent: Mon, June 14, 2010 11:40:15 AM
> Subject: Re: [Botan-devel] Unable to read a rsa private key generated by openssl
> 
> Jack,
> 
> Thanks for you all of your responses.
> 
> A colleague of mine did an in depth comparison of the two formats (botan vs openssh).  I attached a document which he created.  He believes that there is an extra header in the botan pem file as compared to the openssh version.
> 
> Not sure that you want to do anything about it per se, but thought I would pass along the information.  I could see though that being directly compatible with openssh would have its benefits.
> 
> 
> Pete
> 
> 
> ----- Original Message ----
> From: Jack Lloyd <lloyd at randombit.net>
> To: botan-devel at randombit.net
> Sent: Fri, June 11, 2010 6:22:35 PM
> Subject: Re: [Botan-devel] Unable to read a rsa private key generated by openssl
> 
> On Fri, Jun 11, 2010 at 02:53:10PM -0700, Pete Toich wrote:
> > Hi,
> > 
> > When I try to use the following code to read a pem file generated by openssl (syntax below),
> >  I get the exception: Exception: Botan: Decoding error: PKCS #8 private key decoding failed
> > 
> > Looking at the pem file generated by openssl and by the rsa_kgen botan example, the file sizes are different.  Diving deeper there is
> > a extra header on the rsa_kgen version that is not present in the openssl version.  
> > 
> > Is it possible to open RSA keys with botan that were created by openssl?
> 
> The encrypted keys, no; for whatever reason OpenSSL continues to use
> some strange and I think OpenSSL-specific format for this. You can
> convert them to PKCS #8 format keys using
> 
> openssl pkcs8 -topk8 -in rsa_key.pem
> 
> (Add -nocrypt if you don't want to encrypt the PKCS #8 file).
> 
> [I'm sure it's possible to write code using botan that could decrypt
> the file, of course, but I haven't bothered digging through the
> OpenSSL code to try figuring out what the actual format is]
> 
> The unencrypted keys can be loaded by picking apart the PEM layer and
> then feeding it into the BER decoder by hand, which is awkward but
> works. I've attached an example.
> 
> -Jack
> 
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://lists.randombit.net/mailman/listinfo/botan-devel



More information about the botan-devel mailing list