Add password to openssl .pem file from -password - encryption

I am generating a .pem file using openssl using the command:
openssl genrsa -aes256 -out ca.key.pem 4096
It is working great but when I do this:
openssl genrsa -aes256 -out ca.key.pem 4096 -password pass:abcd
It is still asking me for a password in the terminal and not automatically taking the supplied password.
I've tried generating certificates before and it works for them eg.
openssl pkcs12 -name username -inkey cert/key.key -in abc.pem -export -out cert.p12 -password pass:abcd

You're very close to the goal ! Key size must be the last parameter and -password replace with -passout
openssl genrsa -aes256 -out ca.key.pem -passout pass:abcd 4096

Related

Openssl aes-256-cbc encryption

I am trying to perform a file encryption which is equal to the below command of openssl:
openssl aes-256-cbc -e -salt -pbkdf2 -iter 10000 -in geometry.json -out geometry.json.enc -pass pass:"password"
I am using the implementation 'not-yet-commons-ssl:not-yet-commons-ssl:0.3.13'
With the default values after the file encryption the decryption from openssl command line always throws up the below error;
40B7B9B5F37F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:124:
What do I need to pass to the openssl encrypt function?
Salt is used by default, so you don't need to use it explicitly. I would use higher iteration number with pbkdf2, or in this case, it would make more sense to use sha256 instead of pbkdf2. Also, there is no reason to use quotation marks around your password. pass:"password" should be pass:password unless quotations are part of the password.
You could use this:
openssl aes-256-cbc -pass pass:password -in geometry.json -out geometry.json.enc -pbkdf2 -iter 100000
or this:
openssl aes-256-cbc -k password -in geometry.json -out geometry.json.enc -pbkdf2 -iter 100000
And if you want to use SHA-256 for password hashing then you could use this:
openssl aes-256-cbc -k password -in geometry.json -out geometry.json.enc -md sha256

memory buffer routines:BUF_MEM_grow_clean:malloc while decrypt files bigger than 1.5 GB

I have a basic script that backups, compress and encrypts a MySQL dump:
mysqldump --events --routines --triggers --add-drop-database \
--compress --hex-blob --opt --skip-comments --single-transaction \
my-database | \
xz -c | \
/usr/bin/openssl smime \
-encrypt \
-aes256 \
-binary \
-out /mnt/test.sql.xz.enc \
-outform DER /path/to/cert.pem
To encrypt basically this command is used:
openssl smime -encrypt -aes256 -binary -out test.sql.xz.enc -outform DER cert.pem
To decrypt normally I use:
openssl smime -decrypt -in test.sql.xz.enc -binary -inform DEM -inkey private.key -out sql.xz
Over the time this has been working in both ways, encrypting and decrypting but now that the data after being compressed has reached more than 1.5GB while decrypting I am getting this error:
Error reading S/MIME message
34380825992:error:07069041:memory buffer
routines:BUF_MEM_grow_clean:malloc failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/buffer/buffer.c:150:
34380825992:error:0D06B041:asn1 encoding routines:ASN1_D2I_READ_BIO:malloc failure:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_d2i_fp.c:239:
I have move the file to a biger instance (4 cores, 8GB ram) but still have the issue.
Therefore wondering if there is a size limit while encrypting using the smime option, and what options could be used to encrypt/decrypt files in the order of gigabytes.
For now, I am testing with the option -stream seems to be working:
openssl smime -encrypt -aes256 -stream -binary -out test.sql.xz.enc -outform DER cert.pem
but don't know what will be the limit, so any possible alternatives or ideas are more than welcome.

OpenSSL, decrypting with a private key

Okay, so I have a text file named Kryptert that is encrypted.
A key file named private with the private key. I want the output to be in a text file named Klartext.
I am about to rip my hair out, because I cannot seem to figure this out.
openssl rsautl -decrypt -inkey C:\private.key -in C:\Kryptert.txt -out C:\Klartext.txt
The command above is what I use, and I get the following output in the CMD windows:
C:\Users\Marco>openssl rsautl -decrypt -inkey C:\private.key -in C:\Kryptert.txt -out C:\Klartext.txt
Loading 'screen' into random state - done
RSA operation error
8560:error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02:.\crypto\rsa\rsa_pk1.c:190:
8560:error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed:.\crypto\rsa\rsa_eay.c:592:
Anyone able to help me understand what is wrong, and how I could fix it? Thank you.
Here you have the commands you need to encrypt or decrypt using openssl:
Decrypt:
$ openssl rsautl -decrypt -in $ENCRYPTED -out $PLAINTEXT -inkey keys/privkey.pem
Encrypt:
$ openssl rsautl -encrypt -in $PLAINTEXT -out $PLAINTEXT.encrypt -pubin -inkey keys/pubkey.pem
Hope this helps! :)
For encryption:
openssl rsautl -encrypt -in /path/to/your/file -out /path/to/your/encrypted -pubin -inkey /path/to/your/public_key.pem
For decryption:
openssl rsautl -decrypt -in /path/to/your/encrypted -out /path/where/you/want/your/decrypted.txt -inkey /path/to/your/private_key.pem
Note: If you have this decryption error: RSA_EAY_PRIVATE_DECRYPT:data greater than mod len try this command before decrypt your file:
cat yourEncryptedFile| base64 -D > yourEncryptedRawFile
More information here

import encrypted private key to jks

I need use ssl(2 way handshake) socket for connection in my project.
So for creating keys, i used openssl with this comands :
for server :
req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout a_private.key -out a_certificate.cert
rsa -in a_private.key -des3 -out a_private_des.key
rsa -in a_private_des.key -pubout -out a_pub.key
for client :
req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout b_private.key -out b_certificate.cert
rsa -in b_private.key -des3 -out b_private_des.key
rsa -in b_private_des.key -pubout -out b_pub.key
for import to jks file i used keytool:
keytool -import -alias a_private -file a_private_des.key -keystore a.jks
keytool error: java.lang.Exception: Input not an X.509 certificate
after that, I made der file with this command :
pkcs8 -topk8 -in a_private_des.key -out a_private_des.der -outform DER
and retry to import key to jks file:
keytool -import -alias a_private -file a_private_des.der -keystore a.jks
keytool error: java.lang.Exception: Input not an X.509 certificate
and I get same exception with b_pub.key
how can I import encrypted private key and public key in jks file ?
tanx alot.
To import a key pair (key and cert) into a java keystore, you first need to create a p12 file. Whilst the question is "import encrypted private key to jks", I don't actually believe the key in question is encrypted as the "nodes" option is used.
So to import a key, and cert into a JKS use:
# create p12
openssl pkcs12 -export \
-name a_private \
-out a_private.p12 \
-inkey a_private.key \
-in a_certificate.cert \
-passin "pass:changeit" \
-passout "pass:changeit"
# create jks
keytool -v -importkeystore -deststoretype pkcs12 -destkeystore \
"a.jks" \
-srckeystore "a_private.p12" -srcstoretype pkcs12 \
-alias "a_private" -srcstorepass "changeit" \
-deststorepass "changeit" -destkeypass "changeit"
Actually change the password "changeit" as well.
I believe the -import option only let's you import certificates, not keys. Looking at this post it seems you may have to write some kind of workaround.

Buffer overflow OpenSSL Encryption/Decryption problems

I am currently trying to use OpenSSL to encrypt and decrypt a file, using (encrypt):
openssl rsautl -encrypt -pubin -inkey public.pem -in plaintext.txt -out encyrptiontext.txt
and for the decrypting I am using:
openssl rsautl -decrypt -inkey private.pem -in encyrptiontext.txt
The keys have been generated from the same file, though when I try and decrypt a single line I receive this error:
8952:error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02:.\crypto\rsa\rs
a_pk1.c:190:
8952:error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed:.\crypto\rsa\rsa_eay.c
:592:
I am not sure why I am getting this as they are using the default settings and the keys have been generated from the same generator.

Resources