Hi Dave, Thank you so much for reply... To answer your question why i need to do this:
- i have a WCF Client program that generates pair of keys, with these keys a java service is called, this java service calls a CA authority and gives me a certificate that contain only public key i sent - on client side i extract the public key from private key with ssh-keygen, send this public key to another service which puts it in the authorised keys, i also make the identity file for openssh (private key + certificate - roumen petrov patch) and i have openssh tunnel Now they want from certificate to extract the public key ssh needs, so it will be done on the server side, not on the client side. The server side does have the certificate of the client, but doesn't have the private key of client. Hope is more explicit... I think on java side they can encode and decode the bytes, didn't think is this tedious process tho... Thanks again, Adriana On Sat, Jun 20, 2009 at 03:18, Dave Thompson<dave.thomp...@princetonpayments.com> wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Adriana Rodean >> Sent: Friday, 19 June, 2009 00:55 > >> I have a certificate in der format, from it with this command >> i generate a public key: <snip: x509 -pubkey to pem> > >> How can i obtain a public key like the following? Either from >> certificate or from this public key? <snip ssh pubkey format> >> This was obtained with this command: >> >> ssh-keygen -y -f private_key1.pem > public_key1.pub >> > Not easily with (just) openssl. > > openssl pubkey files use the ASN.1 X.509 KeyInfo wrapping of, > for an RSA key as here, the PKCS#1 representation, optionally base64ed. > > ssh, at least openssh, FOR PUBLIC KEYS, uses its own representation, > which is a series of items each with a 4-byte length field, base64ed, > and inserted into a text line with at least one other field. > (This allows multiple pubkeys to be combined into one file simply.) > > To convert directly, you'll have to: de-base64; pick out the fields > from the openssl ASN.1 representation; reformat them into the openssh > representation; en-base64; add the openssh tag. > > openssl enc -a [-d] can do the de-base64 and (nearly) en-base64, > if you don't have other tools. openssl rsa -pubin -text -noout, > or openssl asn1parse -offset as_needed_here_22, can extract > the fields, but in text form(s) which must be parsed back into > binary; it's not clear this is easier than just parsing the DER. > > This is probably 10-20 lines of perl (assuming you have perl), > or 50-100ish of C depending on robustness and style. Someone may > well have already done it, but I wouldn't know where to look. > > openssh DOES use openssl format(s) for PRIVATE KEY files, > and as you already know, ssh-keygen can extract from such > a privatekey file to its publickey format. That's the easy way. > > Why do you have a (X.509) cert for an ssh key anyway? > That doesn't really make sense, unless someone is using > the same key for multiple applications, which is rarely > a good idea and almost never necessary. > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
