I've got a docker that's perpetually in the RESTARTING status if an entrypoint.sh is run.
Checking docker logs, I see many repeats of these 2 chunks of error:
e is 65537 (0x010001)
140680312165760:error:28069065:UI routines:UI_set_result:result too small:../crypto/ui/ui_lib.c:765:You must type in 4 to 1023 characters
140680312165760:error:28069065:UI routines:UI_set_result:result too small:../crypto/ui/ui_lib.c:765:You must type in 4 to 1023 characters
140680312165760:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:../crypto/pem/pem_lib.c:330:
Generating RSA private key, 2048 bit long modulus
and
e is 65537 (0x010001)
unable to load Private Key
139751600240000:error:28069065:UI routines:UI_set_result:result too small:../crypto/ui/ui_lib.c:765:You must type in 4 to 1023 characters
139751600240000:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:536:
139751600240000:error:0906A065:PEM routines:PEM_do_header:bad decrypt:../crypto/pem/pem_lib.c:439:
Generating RSA private key, 2048 bit long modulus
My entrypoint.sh has this snippet regarding encryption:
openssl genrsa -des3 -passout pass:x -out /etc/apache2/ssl/pass.key 2048
openssl rsa -passin pass:x -in /etc/apache2/ssl/pass.key -out /etc/apache2/ssl/server.key
cat /tmp/ssl-info.txt | openssl req -new -key /etc/apache2/ssl/server.key -out /etc/apache2/ssl/server.csr
openssl x509 -req -days 365 -in /etc/apache2/ssl/server.csr -signkey /etc/apache2/ssl/server.key -out /etc/apache2/ssl/server.crt
This is a project I've taken over so I'm not fully familiar with this snippet, which is far more verbose than what I typically use to generate and use rsa keys, like in this possibly related thread.
Can anyone please shed some insight into how this error can be solved?
I believe it's an issue with pass:xin line 1, x being only 1 character long.
pass:gsahdg etc should work(gsahdg is a random string).
Related
On a linux machine with openssl lib installed, when you perform “openssl pkcs12” with “-nodes” option then you get output with unencrypted private key but if you skip the –nodes option then output will have encrypted private key.
e.g.
openssl pkcs12 -in test.pfx -out test.pem
You should see private key encrypted like below
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiGG7s=
-----END ENCRYPTED PRIVATE KEY-----
How do I achive the above using ruby's open ssl library?
This is how I am generating the private key with ruby:
#private_key = OpenSSL::PKey::RSA.new 2048
#private_key.to_pem.to_s
EDIT:
I guess my question how does this command encrypt the private key:
openssl pkcs12 -in test.pfx -out test.pem
whereas:
“openssl pkcs12 -nodes -in test.pfx -out test.pem"
does not. How do i get the same results using ruby?
There must be something more to this. Perhaps the question needs refined. From what I can tell, you want to print a private key in PEM format. I'm not a ruby programmer but I got this working in about 3 minutes by reading the on ruby-docs.org:
$ cat ssl.rb
require 'openssl'
key = OpenSSL::PKey::RSA.new 2048
cipher = OpenSSL::Cipher.new 'AES-128-CBC'
pass_phrase = 'my secure pass phrase goes here'
key_secure = key.export cipher, pass_phrase
puts key_secure
Choose your cipher and your passphrase and voila, you have encrypted a key with a symmetric cipher:
$ ruby ssl.rb
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,D8062F93C8854E593602D503E1FAC309
UsNQt/Bq7QBldOBU7NW6miCDuC+ODpeplaWQ9BvJW4Wg7j0AbKgMZAn7juegAbjG
JVkpdDNzhs37UVWmqwg64yYP6KEBGg4zCog2a993UHRvFTQb6tyugKHc+uFeyY+D
...
-----END RSA PRIVATE KEY-----
Is there something more you're trying to do?
--
EDIT: The Asker has clarified that the question is about which encryption is used by openssl pkcs12 when not using the -nodes option.
The -nodes option turns off DES encryption. This page shows that the default encryption for private key creation is triple DES, but I don't see the detail there about which DES option. This is also referred to in the manual for man pkcs12. In any case, it's not yet clear to me if you need to know exactly which cipher is used by openssl or if your question is now answered.
You can list ruby's available ciphers like this:
puts OpenSSL::Cipher.cipher
(as specified in the docs)
On my system, quite a few DES ciphers are available with varying parameters:
des
des-cbc
des-cfb
des-cfb1
des-cfb8
des-ecb
des-ede
des-ede-cbc
des-ede-cfb
des-ede-ofb
des-ede3
des-ede3-cbc
des-ede3-cfb
des-ede3-cfb1
des-ede3-cfb8
des-ede3-ofb
des-ofb
des3
desx
desx-cbc
I'm not sure if the PKCS12 spec says which DES cipher should be used or if openssl just has a default. Are you trying to figure out which DES cipher is used by OpenSSL?
I looked a bit further through the openssl wiki and I found references to DES in CBC mode, so I'm guessing that the cipher you are looking for is DES-EDE3-CBC.
Sorry, I guess it's still not completely clear exactly what question you're trying to answer. If what you're trying to do is to find out exactly how openssl is encoding the private key when you don't use -nodes you can see that by cating the file into openssl asn1parse. Maybe this helps: you can start with your rsa private key in plain text as you got it from your ruby program:
$ cat key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpA....
-----END RSA PRIVATE KEY
$ cat key.pem | openssl asn1parse
0:d=0 hl=4 l=1188 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :00
7:d=1 hl=4 l= 257 prim: INTEGER ...
You'll see that this is encoded as an ASN1 SEQUENCE of long integers.
But if you put your key through a roundtrip of pkcs12:
$ openssl pkcs12 -inkey key.pem -out key.pfx -export -nocerts -nodes
(choose a password)
$ openssl pkcs12 -in key.pfx -out outkey.pem -nodes
(enter password)
You'll find your key now wrapped in a new structure, which you can cat to asn1parse:
cat keyout.pem | openssl asn1parse
0:d=0 hl=4 l=1214 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :00
7:d=1 hl=2 l= 13 cons: SEQUENCE
9:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
You now have an ASN1 rsaEncryption Object with a payload of a large octet string.
Is this what you were trying to learn about? How these values are encapsulated in ASN1?
I have created public private key pair for SSL connection using terminal in mac. I have used following commands to create private key and extracting public key from it:
# Create public-private key pair
openssl genrsa -out mykey.cer 1024
# Extract public key
openssl rsa -in mykey.cer -out public.pem -outform PEM -pubout
Now to use public key in my iPhone app I need to convert it to der format. But when I try to convert it with following command I am getting an error:
openssl x509 -in public.pem -outform der -out cert.der
**unable to load certificate
27928:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE**
I am using this link to create a SSL connection with server.
I believe the command to convert a public key from PEM to DER format is
openssl rsa -pubin -in public.pem -outform der -out cert.der
(your choice of output filename cert.der is misleading. It's a public key, not a certificate, public.der would be better)
Following procedure does not work,openssl at 4th step raises "No certificate matches private key". It works without -certfile parameter so is it really required? I saw same procedure at several places on the net. So is it really appropriate or am i doing something wrong?
Also OS X procedure only says to export certificate but should not it be both cert and pkey.
OpenSSL
Here is how to create a PKCS12 format file using open ssl, you will need your developer private key (which can be exported from the keychain) and the CertificateSigningRequest??.certSigningRequest
Convert apn_developer_identity.cer (der format) to pem: openssl x509 -in apn_developer_identity.cer -inform DER -out apn_developer_identity.pem -outform PEM
Next, Convert p12 private key to pem (requires the input of a minimum 4 char password): openssl pkcs12 -nocerts -out private_dev_key.pem -in private_dev_key.p12
(Optional): If you want to remove password from the private key: openssl rsa -out private_key_noenc.pem -in private_key.pem
Take the certificate and the key (with or without password) and create a PKCS#12 format file: openssl pkcs12 -export -in apn_developer_identity.pem -inkey private_key_noenc.pem -certfile CertificateSigningRequest??.certSigningRequest -name "apn_developer_identity" -out apn_developer_identity.p12
http://code.google.com/p/apns-sharp/wiki/HowToCreatePKCS12Certificate
I have a certificate and private key that I want to put together, in code, into a PKCS12 file with the OpenSSL library (libcrypto). I know how to do this via the command-line tool:
$ openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
$ openssl pkcs12 -nocerts -in mykey.p12 -out mykey.pem
$ openssl pkcs12 -export -inkey mykey.key -in developer_identity.pem -out iphone_dev.p12
But how can I do it in code?
If you are willing to use C code in your objective-C code and you have OpenSSL library for iOS then you can do it.
You can use PKCS12_create function to create a PKCS12 structure and write it to file using i2d_PKCS12_bio function.
PKCS12_create takes the certificate, private key, passphrase, chain of CA certificates and other parameter.
It is explained in a pretty well manner in documentation.
I hope this will help you to start coding.
I am writing iOS Application. Server sends RSA public key to application. Now application has to encrypt some information using RSA algorithm
Kindly provide me some reference.
Thanks
iOS has no special API for RSA, but there are some APIs about Certificate. You can use these APIs to encrypt your data by RSA.
First, you must use openssl to generate your RSA private key and public key. The most important thing is that the public key must be signed. Here is a instruction to generate the keys.
openssl req -x509 -out public_key.der -outform der -new -newkey rsa:1024 -keyout private_key.pem -days 3650
However, if you already has a private key(.pem file), you can follow the instructions:
openssl req -new -out cert.csr -key private_key.pem
openssl x509 -req -in cert.csr -out public_key.der -outform der -signkey private_key.pem -days 3650
You can check the public_key.der by opening it in xcode.
When you get the correct public_key.der file, you can view the RSA.h and RSA.m here. I'm sorry that I have no time to rewrite this post by English again.
This Pod encapsulates the encryption: https://github.com/xjunior/XRSA
I don't know much about iOS but the Certificate, Key, and Trust Services Reference seems to be what you need. It appears the SecKeyEncrypt will be used by you at some point.