I generated a public/private key pair using the following commands:
openssl ecparam -genkey -name secp256k1 -noout -out private.pem
openssl ec -in private.pem -text -noout
This generates the following result (don't worry, private key is for testing and not used anywhere)
read EC key
Private-Key: (256 bit)
priv:
4c:b2:38:08:ab:d7:95:eb:38:20:7c:a8:cd:7d:d7:
64:41:17:12:26:d4:77:ce:b7:f8:12:05:15:9e:d2:
dc:0b
pub:
04:ef:01:0e:e3:28:49:e3:ef:bc:52:a7:c6:c5:5d:
96:3c:3e:7c:3f:f9:9b:65:c8:69:76:59:54:16:c2:
31:9c:70:bc:2b:07:a9:fe:c9:26:ed:00:78:72:11:
e1:fb:99:bc:ab:ea:1c:d4:d2:2c:27:a1:06:81:52:
bf:5c:9d:ec:62
The public key is 65 bytes.
Next I export the public key in Base64 format
openssl ec -in private.pem -pubout -out ec-pub.pem
this generates the following file
-----BEGIN PUBLIC KEY-----
MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAE7wEO4yhJ4++8UqfGxV2WPD58P/mbZchp
dllUFsIxnHC8Kwep/skm7QB4chHh+5m8q+oc1NIsJ6EGgVK/XJ3sYg==
-----END PUBLIC KEY-----
However if I do a base64decode of the above key, the result is 88 bytes.
Passing these 88 bytes to P256.Signing.PublicKey(rawRepresentation: data) results in the following error:
CryptoKit.CryptoKitError.incorrectParameterSize
This however, works:
let data = Array<UInt8>(arrayLiteral: 04,0xef,0x01,0x0e,0xe3,0x28,0x49,0xe3,0xef,0xbc,0x52,0xa7,0xc6,0xc5,0x5d,0x96,0x3c,0x3e,0x7c,0x3f,0xf9,0x9b,0x65,0xc8,0x69,0x76,0x59,0x54,0x16,0xc2,0x31,0x9c,0x70,0xbc,0x2b,0x07,0xa9,0xfe,0xc9,0x26,0xed,0x00,0x78,0x72,0x11,0xe1,0xfb,0x99,0xbc,0xab,0xea,0x1c,0xd4,0xd2,0x2c,0x27,0xa1,0x06,0x81,0x52,0xbf,0x5c,0x9d,0xec,0x62)
let key = try P256.Signing.PublicKey(x963Representation: data)
Any idea what I need to do to get this working?
Thanks!
Passing these 88 bytes to P256.Signing.PublicKey(rawRepresentation: data) results in the following error:
There is a PEM prefix, the raw key is at the end, so use instead
P256.Signing.PublicKey(rawRepresentation: data.suffix(65))
I've got a docker that's perpetually in the RESTARTING status if an entrypoint.sh is run.
Checking docker logs, I see many repeats of these 2 chunks of error:
e is 65537 (0x010001)
140680312165760:error:28069065:UI routines:UI_set_result:result too small:../crypto/ui/ui_lib.c:765:You must type in 4 to 1023 characters
140680312165760:error:28069065:UI routines:UI_set_result:result too small:../crypto/ui/ui_lib.c:765:You must type in 4 to 1023 characters
140680312165760:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:../crypto/pem/pem_lib.c:330:
Generating RSA private key, 2048 bit long modulus
and
e is 65537 (0x010001)
unable to load Private Key
139751600240000:error:28069065:UI routines:UI_set_result:result too small:../crypto/ui/ui_lib.c:765:You must type in 4 to 1023 characters
139751600240000:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:536:
139751600240000:error:0906A065:PEM routines:PEM_do_header:bad decrypt:../crypto/pem/pem_lib.c:439:
Generating RSA private key, 2048 bit long modulus
My entrypoint.sh has this snippet regarding encryption:
openssl genrsa -des3 -passout pass:x -out /etc/apache2/ssl/pass.key 2048
openssl rsa -passin pass:x -in /etc/apache2/ssl/pass.key -out /etc/apache2/ssl/server.key
cat /tmp/ssl-info.txt | openssl req -new -key /etc/apache2/ssl/server.key -out /etc/apache2/ssl/server.csr
openssl x509 -req -days 365 -in /etc/apache2/ssl/server.csr -signkey /etc/apache2/ssl/server.key -out /etc/apache2/ssl/server.crt
This is a project I've taken over so I'm not fully familiar with this snippet, which is far more verbose than what I typically use to generate and use rsa keys, like in this possibly related thread.
Can anyone please shed some insight into how this error can be solved?
I believe it's an issue with pass:xin line 1, x being only 1 character long.
pass:gsahdg etc should work(gsahdg is a random string).
What is the difference between csr created from linux openssl v/s ruby openssl library:
openssl req -out mytest.csr -new -newkey rsa:2048 -nodes -keyout
mytest.
The public key created from above looks something like this:
-----BEGIN CERTIFICATE REQUEST-----\nMIIC2jCCAcICAQAwgZQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNRDEWMBQGA1UE\nBwwNU2lsdmVyIFNwcmluZzELMAkGA1UECgwCTUwxCzAJBgNVBAsMAkVTMR8wHQYD\nVQQDDBZtc2NsaWVudDI4LnNhbXRlc3QuY29tMSUwIwYJKoZIhvcNAQkBFhZtc2Ns\naWVudDI4QHNhbXRlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAvMJwLZp9w/YPZz31+ZyozD5S3Xb1Jjtdx0VBUrRuDKi4y+XRlzOeHHvRiSZJ\nVMI2LLLta0Zel4ULK4vSoP2OH5ezQbAGUslxePupFFulPZUJJrNLVZJ/9jNOgKoI\n6tu+8TGP2UivOGfW5OQFYLFLZJad/PP7IoAOoYB79lqnE/+3/vjys5eHL6dOZ/0I\nmUj8G5jw1thZlOQpA4Es2Xoxnvkr1kiJpoa+4s8L6kX2PLRCoWmP1ZqQ1pi3oHoP\n6kLo/qQ2KiIrPcrDGi5aGtKkCrj64JAS4IIcLiBvI+KXNCzaB6f2I7ChBEkA8iEU\nSe2LqqSs0eumBFH0HwE4uvwOWQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAJZI\niySQfZpFYL7SZWWvUxdHPxmwrw3PdcPSAJZQImoMNCSFC0kCtIzl+LleZN8/WzkV\nQ2Ps6cg3+bSWrJ+gA6EjcA4X8oGHN545snaOUf/ZRXf0mKbtu+U3asTiaE8Dz8P6\n5gz81GaA+ZDmjwk7ezrz6+gED439M5sot5yaeH8EfD5c49y0hOP9gg1VDJMNiwsf\nVARrIu+eHCPi2PXzBXZTPdivzn3cZQU0vsu91DzuHHXzCQv5wYE/iVh5lyWjLeFS\nFg5m4mLOtjKRzPeCpldkGkFRssvOoBOixZHPainzUHKk7eVNggXPjgFa4fk3uPp0\nWUftUDM5l7ANFqv5ii0=\n-----END
CERTIFICATE REQUEST-----
However when i try to create it from ruby's open ssl library:
irb(main):004:0> private_key = OpenSSL::PKey::RSA.new 2048
irb(main):005:0> private_key.public_key.to_pem
=> "-----BEGIN RSA PUBLIC KEY-----\nMIIBCgKCAQEAqDaG8Je5YY2kXM6w/a7uiTTAsJd1JwkP7w44licoYxn7N+sYuv3K\n2iFAfumP3NEWueeRcCPSiGD3BpCKwxo4tch9uOFGOuaWYiK9XC7OOZV755+hix0S\nWph45bwiOSQX0Jr6SB6T7RBXxAF7RFdMVfo4AyZkakVaMxr0lVO8E7RqO6WaeYV2\ne6GYU2BPy60U7iXVK+15RGMQIWaiUt5iCGzJqBn+IE1GQJpytbRg7melx4e6zPQf\n5Aa4Wufm7SFEVMJ5/rzTALOZa5VWlPRhb7luxYXXLDqckB8/6Bok6kpu5qkJjHHz\nwRabh7u8Vy6cRuz+Df7LTsRuamkZLG8KXQIDAQAB\n-----END
RSA PUBLIC KEY-----\n"
The above public key is much smaller.
What is different between the 2?
How can i make ruby's open ssl generate a csr & private like linux openssl.
Looking at your other question as well, it appears that your fundamental misunderstanding is that you think that a CSR is a public key. A CSR does indeed contain a public key, but it includes additional data (e.g. subject and signature) and is a distinct type of object.
You started off right with creating the RSA key pair, but you then have to generate the CSR. You can do it like this:
require 'openssl'
# Create public/private key pair.
key = OpenSSL::PKey::RSA.new 2048
print key.to_pem()
print key.public_key.to_pem()
# Create CSR.
request = OpenSSL::X509::Request.new
request.subject = OpenSSL::X509::Name.parse 'C=US/CN=foobar'
request.public_key = key.public_key
request.sign(key, OpenSSL::Digest::SHA256.new)
print request.to_pem()
Note that ruby can't prompt you for the subject fields, so you have to specify them via the API.
I have created public private key pair for SSL connection using terminal in mac. I have used following commands to create private key and extracting public key from it:
# Create public-private key pair
openssl genrsa -out mykey.cer 1024
# Extract public key
openssl rsa -in mykey.cer -out public.pem -outform PEM -pubout
Now to use public key in my iPhone app I need to convert it to der format. But when I try to convert it with following command I am getting an error:
openssl x509 -in public.pem -outform der -out cert.der
**unable to load certificate
27928:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE**
I am using this link to create a SSL connection with server.
I believe the command to convert a public key from PEM to DER format is
openssl rsa -pubin -in public.pem -outform der -out cert.der
(your choice of output filename cert.der is misleading. It's a public key, not a certificate, public.der would be better)
Following procedure does not work,openssl at 4th step raises "No certificate matches private key". It works without -certfile parameter so is it really required? I saw same procedure at several places on the net. So is it really appropriate or am i doing something wrong?
Also OS X procedure only says to export certificate but should not it be both cert and pkey.
OpenSSL
Here is how to create a PKCS12 format file using open ssl, you will need your developer private key (which can be exported from the keychain) and the CertificateSigningRequest??.certSigningRequest
Convert apn_developer_identity.cer (der format) to pem: openssl x509 -in apn_developer_identity.cer -inform DER -out apn_developer_identity.pem -outform PEM
Next, Convert p12 private key to pem (requires the input of a minimum 4 char password): openssl pkcs12 -nocerts -out private_dev_key.pem -in private_dev_key.p12
(Optional): If you want to remove password from the private key: openssl rsa -out private_key_noenc.pem -in private_key.pem
Take the certificate and the key (with or without password) and create a PKCS#12 format file: openssl pkcs12 -export -in apn_developer_identity.pem -inkey private_key_noenc.pem -certfile CertificateSigningRequest??.certSigningRequest -name "apn_developer_identity" -out apn_developer_identity.p12
http://code.google.com/p/apns-sharp/wiki/HowToCreatePKCS12Certificate