On Wed, Aug 11, 2004, Chris Tojza wrote: > Hi, > I hope somebody can help me with the following > problems. > I am working to replace legacy BSAFE application with > the OpenSSL and I have to work with the legacy BSAFE > generated RSA keys. > > I am unable to read BSAFE private key that has BSAFE > type: > KI_PKCS_RSAPrivateBER - This is ASN.1 key that is > encoded with the PKCS #8 standard >
Yes OpenSSL can handle those but there is more than one way to encode a key using PKCS#8. There are encrypted versions which can use various different algorithms and unencrypted versions. On top of that some applications use broken formats :-( [snip] > > > function calls and I am getting following error: > > fread:325: > Error: d2i_PrivateKey_bio > 5840:error:0D0680A8:asn1 encoding > routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946: > 5840:error:0D06C03A:asn1 encoding > routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 > error:tasn_dec.c:628: > 5840:error:0D08303A:asn1 encoding > routines:ASN1_TEMPLATE_D2I:nested asn1 > error:tasn_dec.c:566:Field=n, Type=RSA > 5840:error:0D09A00D:asn1 encoding > routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c: > > Looks like the header is wrong. > > I am confused to the key format ASN.1 is a standard > that can be encoded using BER or DER. BSAFE types > reference BER not DER OpenSSL is using DER not BER. > DER encoding provides only one strict form of encoding > for ASN.1 standard where BER can have more than one. > That gets asked so often its time it had an FAQ entry. OpenSSL will decode BER fine and will produce DER when it encodes so it should be fine. > My question is how do I read the private key that is > in the format: > ASN.1 key that is encoded with the PKCS #8 > Try the 'pkcs8' command line utility, for example: openssl pkcs8 -in key.p8 -inform DER openssl pkcs8 -nocrypt -in key.p8 -inform DER The first form will handle password encrypted keys the second unencrypted forms. Alternatively if you convert the binary form to PEM (base64 encode it and add headers) OpenSSL will automatically handle the format. If none of that seems to work send me a sample key in that format and I'll see what I can do. > --------------------------------------------------------------- > The second problem is the public key format. The > public key are generated by BSAFE as type KI_RSAPublic > - an RSA public key with the modulus and public key > exponent. The keys are written to a file in the form: > exponentLen > exponent > modulduLen > modulus > And send to a remote system. > I have to generate RSA *rsa structure and populate > rsa->n //modulus > rsa->e //exponent > There are conversion routines like > BN_bin2bn //binary to BIGNUM type for rsa->e > There are d2i Public key routines to read DER or PEM > format but my file is not in DER or PEM format. > > My second question is what format my public key file > is and how to I convert it to RSA structure. > What does the data look like? Is the first byte 0x30 [an ASN1 SEQUENCE tag for those that are interested] if so it might be an RSAPublicKey structure. See what: openssl asn1parse -inform DER -in public.key produces. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
