On Feb 23, 2010, at 1:18 AM, Andreas Jellinghaus wrote: > I verified your email, and the situation is exactly as you said. > except your interpretation is wrong. > > the "rsa" command you posted, will print three things: > * Modulus > * Exponent > * "RSA PRIVATE KEY" > > Modulus and Exponent are the information that is in public keys. > So that is perfectly fine. None of the information available in > private keys was posted, as openssl can't get that.
Huh. If you use openssl rsa with -pubout, you get a *different* blob of stuff, though it could simply differ in some insignificant way. > > The "RSA PRIVATE KEY" pem print is totaly bogus, it is much too short > to contain the public and the private key parts. I can't verify that, > as the file is broken - openssl cannot read it back again. I guess > openssl tried to create an rsa private key file, but somehow didn't > properly check if all necessary information was available, and still > print what was there (only the public key parts modulus and exponent) > and created a PEM file, which is unuseable, as it doesn't contain all > the information that should be in there. That would make sense. > > For testing I created a key and extracted the public parts. The length > of that data matches the PEM file printed with your command. so there > can't be more information in there... > > So everything is fine - well, except openssl could implement better > checks for RSA private key parts, print some nice message, and not > try to create a private key PEM file if required information is missing. > > by the way: running an SSL server with the key on the smart card is > propably not such a good idea - smart cards can do about one signature > a second (if the card is fast). You might need much more than that. Well, it's just my home machine. Mostly the SSL stuff is imap, where the connections are relatively long lived. If I were going to do this for some sort of production environment, I'd probably use a real crypto token that had sufficient throughput. I suppose the desirability of stealing the private key for the SSL cert on my home box is also relatively low... But I just don't like the idea of it sitting on the hard disk where anyone who can root the box can read it. _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
