[Botan-devel] Unable to read a rsa private key generated by openssl

Jack Lloyd lloyd at randombit.net
Mon Jun 21 13:58:27 EDT 2010

Hi Pete,

I'm confused by the comment 'I couldn't find a way to get OpenSSL to
parse the PEM file[...]'

At least OpenSSL 0.9.8's rsa command understands an X.509-style public

(motoko ~/net.randombit.botan/doc/examples)$ ./rsa_kgen 1024
(motoko ~/net.randombit.botan/doc/examples)$ cat rsapub.pem 
-----END PUBLIC KEY-----
(motoko ~/net.randombit.botan/doc/examples)$ openssl rsa -pubin -in rsapub.pem -text -noout
Modulus (1024 bit):
Exponent: 65537 (0x10001)


On Mon, Jun 21, 2010 at 10:53:08AM -0700, Pete Toich wrote:
> Hi, 
> I sent the mail below a week ago but just realized that I got a bounce message because it was too big.  I removed the attachment and now it is located in a public dropbox.  It can be referenced at:
> http://dl.dropbox.com/u/1857403/Annotated_RSA_Private_Key_PEM_file_from_Botan-Rev_4.pdf
> Pete
> ----- Forwarded Message ----
> From: Pete Toich <torcher72 at yahoo.com>
> To: Botan development list <botan-devel at randombit.net>
> Sent: Mon, June 14, 2010 11:40:15 AM
> Subject: Re: [Botan-devel] Unable to read a rsa private key generated by openssl
> Jack,
> Thanks for you all of your responses.
> A colleague of mine did an in depth comparison of the two formats (botan vs openssh).  I attached a document which he created.  He believes that there is an extra header in the botan pem file as compared to the openssh version.
> Not sure that you want to do anything about it per se, but thought I would pass along the information.  I could see though that being directly compatible with openssh would have its benefits.
> Pete
> ----- Original Message ----
> From: Jack Lloyd <lloyd at randombit.net>
> To: botan-devel at randombit.net
> Sent: Fri, June 11, 2010 6:22:35 PM
> Subject: Re: [Botan-devel] Unable to read a rsa private key generated by openssl
> On Fri, Jun 11, 2010 at 02:53:10PM -0700, Pete Toich wrote:
> > Hi,
> > 
> > When I try to use the following code to read a pem file generated by openssl (syntax below),
> >  I get the exception: Exception: Botan: Decoding error: PKCS #8 private key decoding failed
> > 
> > Looking at the pem file generated by openssl and by the rsa_kgen botan example, the file sizes are different.  Diving deeper there is
> > a extra header on the rsa_kgen version that is not present in the openssl version.  
> > 
> > Is it possible to open RSA keys with botan that were created by openssl?
> The encrypted keys, no; for whatever reason OpenSSL continues to use
> some strange and I think OpenSSL-specific format for this. You can
> convert them to PKCS #8 format keys using
> openssl pkcs8 -topk8 -in rsa_key.pem
> (Add -nocrypt if you don't want to encrypt the PKCS #8 file).
> [I'm sure it's possible to write code using botan that could decrypt
> the file, of course, but I haven't bothered digging through the
> OpenSSL code to try figuring out what the actual format is]
> The unencrypted keys can be loaded by picking apart the PEM layer and
> then feeding it into the BER decoder by hand, which is awkward but
> works. I've attached an example.
> -Jack
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://lists.randombit.net/mailman/listinfo/botan-devel

More information about the botan-devel mailing list