Could you generate a new private key with that proprietary code, and post it or email it to me offlist? (this new key would obviously need to be treated as compromised-destroyed in the NIST framework.)
BEGIN ENCRYPTED PRIVATE KEY looks like PKCS8. There's a couple of bugs in other implementations which have been identified and worked around by the OpenSSL crew, including the ones worked around by -nooct, -embed, and -nsdb. (Is it an RSA key? A DSA key?) Basically, your idea is correct: you must convert the private key from pkcs#8 to openssl's format, then use the openssl format to pkcs12 -export. The problem is figuring out which algorithm has been used to encrypt the pkcs8 structure, and which version of the structure it's using. -Kyle H On Wed, Feb 11, 2009 at 3:50 PM, Bob Barnes <[email protected]> wrote: > Kyle, > > Thanks for the response. Just to clarify a bit, our proprietary code is > simply a wrapper around the third party libraries, which are SSLPlus/BSAFE. > As far as I know they should be generating/storing the private key in a > standards compliant way. > > The first 2 lines of the private key are: > > MIICmDAaBgkqhkiG9w0BBQMwDQQIgeyJNiNcE90CAQUEggJ4arTMz0VmFuBiCw3P > 5LHhLjmOKpdTdby6Dy9BP34zrwL/7yKR+lt3cor+SzhH4vGedhD4SQafw4iM7+1j > > Can you confirm that my basic understanding as described in my first email > is essentially correct or am I out in left field someplace? > > Bob > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kyle Hamilton > Sent: Wednesday, February 11, 2009 3:09 PM > To: [email protected] > Subject: Re: Generating a PKCS#12 file > > The problem appears to be how your private key is stored, more than > anything. What are the two lines following "BEGIN ENCRYPTED PRIVATE KEY" in > your sslinf.key file? > > (This is one reason that standards exist, so that different things can > (ostensibly) use the file formats. However, not everything adheres to the > standards the way it's supposed to.) > > Without knowing more details on how your proprietary code > generated/encrypted the key (or even what third-party library you used), > it's pretty much impossible to figure out what's going wrong. > > -Kyle H > > On Wed, Feb 11, 2009 at 11:26 AM, Bob Barnes <[email protected]> > wrote: >> Hi, first post and I will confess right up front that I'm far from an >> expert on SSL/cryptography. >> >> I'm trying to use OpenSSL to create a PKCS12 Version 3 file for import >> into IBM's Digital Certificate Manager. I used our own proprietary >> code (which uses a third party library for encryption) to generate a >> CSR, submitted it to a CA and received back the certificate, which I >> stored in a file called sslinf.pem. I can verify the contents of the >> certificate by using the openssl x509 command as follows: >> >> openssl x509 -inform PEM -in sslinf.pem -text >> >> This is where the mist begins to descend;-) The sslinf.pem file is I >> believe, PEM Base64 encoded since the contents are wrapped in >> -----BEGIN CERTIFICATE-----/-----END CERTIFICATE-----, although it >> isn't clear to me whether the base64 encoded data is BER, DER or >> something else. The key file, sslinf.key appears to be PKCS#8, since >> the syntax is -----BEGIN ENCRYPTED PRIVATE KEY-----/-----END ENCRYPTED >> PRIVATE KEY----- and has been encrypted with a password. >> >> My understanding is that at this point I should be able to use the >> openssl >> pkcs12 command to create a PKCS#12 file suitable for import into IBM's >> DCM by doing the following: >> >> openssl pkcs12 -export -out sslinf.p12 -in sslinf.pem -inkey >> sslinf.key -name "My certificate" >> >> What I get is: >> >> Loading 'screen' into random state - done Enter pass phrase for >> sslinf.key: >> >> I enter the password and get: >> >> unable to load private key >> >> At that point I was thinking that perhaps the sslinf.key file was not >> really >> PKCS#8 so I tried: >> >> openssl pkcs8 -inform PEM -outform PEM -in sslinf.key -out pkcs8.key >> Enter Password: >> >> The result is the following: >> >> Error decrypting key >> 3144:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad >> decrypt:.\crypto\evp\evp_enc.c >> :330: >> 3144:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 >> cipherfinal error:.\crypto\pkcs12\p12_de >> cr.c:97: >> 3144:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe >> crypt error:.\crypto\pkcs12\p >> 12_decr.c:123: >> >> So now I'm thinking maybe it's not PKCS#8 so I tried: >> openssl pkcs8 -in sslinf.key -topk8 -out pkcs8.key Enter pass phrase >> for sslinf.key: >> >> and get: >> >> unable to load key >> >> BTW, this is OpenSSL 0.9.8j 07 Jan 2009 running on Windows XP. Can >> someone enlighten me? I can honestly say that in over 30 years of >> writing code I've never come across anything that's closer to black magic > than this stuff. >> >> Bob >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
