I am trying to decrypt a message using a private key with openssl. My implementation works fine when i use the private key in the following format
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDDEOX/tFJZrgR0dtTN2/jgPAJjWKE68aw8ayYaGn9fo1sJAE3C
uH6Ym3hu775Enfd5DhtJ38g8RCFLzGVP/LW6n4+LsKS5HRZTGcDkpME0sVoLHLZd
w8z4xZe5h+lT0jwkap5BNyHJCSddipxzjQIEtW+w8V6BkKkFw6UYN1Xn5QIDAQAB
AoGAUeS0Ssfvksrl/+crrElfkPRgpEi/V7nCb5Mkae0Z8JLqUzsXalp+e585zolE
PhZ7oQz1E+ypafPIbsQe/JfByx3itUk7J8+bZO4TpE8n5Afz8EdZLIqJU11MoafH
mWYYWsoMdymgxasuu0ygyeswP42/aw1M+qQgoWBSoPtgLrkCQQDsygWQRI868JKJ
OXzeKV6HTKjGXg37Zm050UaPk2a8inGk6F5RqH1+IZ4istrlcJTpJTuQCsVHJ+SQ
nLveL09vAkEA0uRPeSdXbi92AR/5fj2Xh2APerYjRgK11nh4QEiqbmKyNdW7r9zb
tIQiL9f4AXvcwIVnSWVgiTCwWOa9w8lT6wJBAOMlWPjwC8YqiSeCMjqbzMZVz4Gb
MCZ+N0FDdEC+0csDs8jR78i9rMSWUzBOCpYWzYJp6R1gd6auqh/feojFMZkCQQCO
Gkly2Y+QL2rUVzdGWTpBffjwNsqN4kWkvohIyK4Os3Jh1CMj3S4t9NsUYfI7Dbsx
/rIaQrVJvAUX4mL8Ci0BAkEAuAZBSTmd7MQybVlWCP1AVvlMyW1CV/Mts4tLsGO5
NRMuXY0CrQaO69MW4nuHCSmshBcNB7ahGxYYYMaHmem3QQ
-----END RSA PRIVATE KEY-----
When I try with the same key without the encapsullation headers (-----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----) it is failing.
Does these headers are mandatory for the keys?
If I want to use the key without headers which API of OpenSSL should i use?
The type of the key format is defined by the header and footer of the PEM encoded key. Internally it is just a PKCS#1 private key. For more information about the format you can look at this Q/A or the ASN.1 decoded key here.
So although all the information is in the base 64 encoding in the middle implementations may not directly be able to parse it, mainly because the type of the structure is not known.
You can however base 64 decode it and use it as a key within OpenSSL. You may need to specify -inform DER or something similar in that case.
Related
I created PGP key pair and I exported private and public key files. I know that files are fine because I was able to encrypt/decrypt files in GpgFrontend app using these keys. I was also able to do the same using Bouncy Castle library in C#.
Two questions:
1: In Kleopatra, I can't encrypt file with Public Key only. For some reason it doesn't work. Option is not available. To be able to encrypt/decrypt I have to load Private key. What is it that I am missing?
2: I am confused with encrypted data. When I open encrypted PGP file, data looks something like this:
…F†u—PEÛ Ù×´‡Ó"gÆx=ÑoãÝSŒ6M)!ÑÙ×g|;ä #+Pa,²TDV„ëùqá²*”—}×±dCÐÊsf^:Š†7¶LØnš{‹‰ždºV°G(¸7Rd ôUµD#9ÖÕ÷ü Ý dëE¶-ýû¾/khØÇ~Zˆ0:±ðU5É¥žÇé¯7M Ôà}Ò:ÕÈàÒ€snœ‘èÁq§ÀJ®zU’èDc%ߘ–yí|걫M„ð™=Üæ0ß| 5|¾ªô Åíú_lªkó‰Ùª>/–þ€ÈðkvÖwãz9Y±ŠÜW½ìFÍþ{ãFÔS fýâÚÐpá
8Z_.eÄŽÂU)õœ-•êSQÁ\¼—? ¥ã¢O¯J•ÔÖ D;<kÔPÚ.8ÀKƒNÒ€3túø°ÒºA¼ ‡KèÁ›X
but, when I use Notepad option in Kleopatra (or in GpgFrontend), and when I encrypt some text, encrypted data looks like this:
-----BEGIN PGP MESSAGE-----
hF4D1F0XuQWmdMYSAQdAJaVSF+2pME685EMW2M/xDKPKE6BxJiSYSgP06GGKUVgw
P+7Y91/iMOHz2dB4K2clkjgLbWXvy+DRlkBKXGzs7lSK6c3+HFv1L+EIj+mm+dni
1MAGAQkCEP6UbLZfq+aFWK3Fs4H7j05XYdovJvZv9GKEBQCbGT4PjB1ZrxkC+VfO
ybB5R6cWJMdo1mdUg05KAAfSinOM/19gXBrh2pwO/snX/bK7M1iA+qi0rYcGl7Lu
ijHm6PA1c8LBMKFz7Xc6lcA5CtsLTseHHHGEtQCt6Hd/z0EvQUA0FdiYKcieX/lA
W8y0V+Xjao86VmRNYVryx6pRmbq5+vN7H/9hnDNUxgzxVb/yQ90FePzDK73V/bsT
Im2MNTma9ruB
=j0ZY
-----END PGP MESSAGE-----
Why does encrypted data look different?
Thank you
While signing up for the IRS E-services they are requesting a JSON Web Key (JWK). they want the following fields in the JWK
kid, kty, use, n, e, x5t, x5c.
The "kty" field should be equal to "RSA".
In this answer it is shown how to generate the keys but I cannot find out how to generate an x5c key.
x5c is fairly simple. you need to remove -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- from the Self-Signed Certificate generated from mkjwk.org
OR
you can use the PHP script: https://control7.net/JWK/generate.php
paste your Public and Private Keypair and Self-Signed Certificate into the textbox and click Go
I have a public key as:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryQICCl6NZ5gDKrnSztO
3Hy8PEUcuyvg/ikC+VcIo2SFFSf18a3IMYldIugqqqZCs4/4uVW3sbdLs/6PfgdX
7O9D22ZiFWHPYA2k2N744MNiCD1UE+tJyllUhSblK48bn+v1oZHCM0nYQ2NqUkvS
j+hwUU3RiWl7x3D2s9wSdNt7XUtW05a/FXehsPSiJfKvHJJnGOX0BgTvkLnkAOTd
OrUZ/wK69Dzu4IvrN4vs9Nes8vbwPa/ddZEzGR0cQMt0JBkhk9kU/qwqUseP1QRJ
5I1jR4g8aYPL/ke9K35PxZWuDp3U0UPAZ3PjFAh+5T+fc7gzCs9dPzSHloruU+gl
FQIDAQAB
-----END PUBLIC KEY-------_mixed 009J33F94539089U_--
I don't understand what "--mixed 009J33F94539089U--" in the end is, and what it's purpose is.
This key is supposed to be used for creation of encrypted JWT, which is to be sent as payload to hit an API. I used this website to create encrypted JWT, but API hit fails when I use this generated encrypted JWT. But I had to remove this "--mixed 009J33F94539089U--" from my key while entering in the aforementioned website for the creation of encrypted JWT to be successful.
I am wondering if generating encrypted JWT without using this "--mixed 009J33F94539089U--" and using it as payload is causing the API hit to fail. What do I do about this?
[NOTE : The key I mentioned above isn't my actual key.]
To compute the Client Key Exchange message, what method are we meant to use to encrypt the pre master secret with the server`s public key?
-----BEGIN CERTIFICATE-----
`MII423hasdhashdfxzcvbvwe1209khndasAQWRENWA............
*lots of extra contents*
-----END CERTIFICATE-----
My PreMaster Secret in SHA384(#########################) = random contents
The client key exchange will be the value of *converted value of random contents of SHA384
using ASN1 decoder or is it the .pem that needs to be converted to get client key exchange?
I created a pair of public/private RSA keys by using Elite EL SDK Basic v3.3.2.0 tool. (You can find it here under resources tab. It's free)
Now, I want to check correctness of these pair of RSA keys. As far as I know, I can crate a public key from the private key using the below command, and then compare two public keys if are equal or not(the previous public key and this new publiv key) :
> openssl rsa -in <MyPrivateKey> -out <AnAddressForOutput> -pubout
First of all I convert the format of my private key to base64, using this online tool.
Then I run above command command, but I receive the below error :
I took a look at the private.txt , and this is its contents :
8kP5IpV/oROe6Sb8q5GypqmDCJToHlc2Xbi/sui6/VHu4kaD9pZNJlwP0HVTjyMuQLySzDhPtP8n
xlZeG6jZZPxCMc7na0M+O67z0p5AKoxjELkp4ajiVdjTp0oAYFdkRM782ThA5Hvh+rnt6n++RCZx
HMqa+/dzgG/ONUbI/EMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAc2koT+YAyRpkUR70ZKZNDqAPTf1nirTANUBU8e8
Aa2x9MKh9LZF0usyzkG2td0UkdhluX4cdpw+0jZrbaqw4wZMxpWFyJtzMQtz5lAP0+V8CjR4NIRE
1NPl3ofIqOL9OVp5lW7FkuRwrdhBPhvcmRPpZDZwbBPd1LJ/G/dl0r9B+nn+reo8eKg9XZuk49/c
/w3Gnv2mwMjc/x5wrZ6t48N5xOsZ4oEbAaO0UiUyolEoso4jdp0zrI64cDiXcV3LMfebn/9SRjJ7
3HsQ1PxSFiC9kukafhGcuOLmfclbW3xXpyi8grcIkc529x65QptitGpcOUzDmsybiXXZdFXWObM8
qFSLy4Dve1a5F5s78Be10KE8GZNLdplGUxnYgef8k3cmwASZvMhMgleF2SpE8sCXVSKzc+hyrnFu
A9ZxBtTRw6xxmWUcYmLtzzdzCV+ZaxBFW/96p1Jx7aX2u7x9pNrkF9Y5eonEKCRtkBMZpxAuwWrW
QWrHF3DHBaHuRLNB7z5m+wO716SESJh0TpJA6zBULFkRmG+2F7sHY8hAKgrBvw64iYT8ZkOL4QLT
P0j+qLwh7NCCdj5l8AS7jsN33SU=
As far as I know, every public/private key must have two below lines :
-----BEGIN RSA PRIVATE KEY-----
Private key data
-----END RSA PRIVATE KEY-----
And
-----BEGIN RSA PUBLIC KEY-----
Private key data
-----END RSA PUBLIC KEY-----
Does that mean my tool (Elite EL SDK Basic) doesn't work right? Or I am wrong in one of the above steps?
FYI : This is base64 view of the public key generated with Elite EL SDK Basic :
8kP5IpV/oROe6Sb8q5GypqmDCJToHlc2Xbi/sui6/VHu4kaD9pZNJlwP0HVTjyMuQLySzDhPtP8n
xlZeG6jZZPxCMc7na0M+O67z0p5AKoxjELkp4ajiVdjTp0oAYFdkRM782ThA5Hvh+rnt6n++RCZx
HMqa+/dzgG/ONUbI/EMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAQ==
Your key is in a proprietary format. The format is pretty simple though:
1024 bit modulus (always starting with the high bit set
1024 bit public exponent (easily recognized by the leading zero's followed by the fourth number of Fermat, 65537 in binary)
1024 bit private exponent (large number lower than the modulus)
the 5 CRT parameters, all in 512 bit encodings
OpenSSL does not read these kind of private keys. You need to verify your key another way, or create a OpenSSL compatible key from it.
Teaser using your key from import java.security.spec.RSAPrivateCrtKeySpec and import org.bouncycastle.openssl.jcajce.JcaPEMWriter:
$ openssl rsa -check -in somekey.pkcs8.pem
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDyQ/kilX+hE57pJvyrkbKmqYMIlOgeVzZduL+y6Lr9Ue7iRoP2
lk0mXA/QdVOPIy5AvJLMOE+0/yfGVl4bqNlk/EIxzudrQz47rvPSnkAqjGMQuSnh
qOJV2NOnSgBgV2REzvzZOEDke+H6ue3qf75EJnEcypr793OAb841Rsj8QwIDAQAB
AoGBAM2koT+YAyRpkUR70ZKZNDqAPTf1nirTANUBU8e8Aa2x9MKh9LZF0usyzkG2
td0UkdhluX4cdpw+0jZrbaqw4wZMxpWFyJtzMQtz5lAP0+V8CjR4NIRE1NPl3ofI
qOL9OVp5lW7FkuRwrdhBPhvcmRPpZDZwbBPd1LJ/G/dl0r9BAkEA+nn+reo8eKg9
XZuk49/c/w3Gnv2mwMjc/x5wrZ6t48N5xOsZ4oEbAaO0UiUyolEoso4jdp0zrI64
cDiXcV3LMQJBAPebn/9SRjJ73HsQ1PxSFiC9kukafhGcuOLmfclbW3xXpyi8grcI
kc529x65QptitGpcOUzDmsybiXXZdFXWObMCQDyoVIvLgO97VrkXmzvwF7XQoTwZ
k0t2mUZTGdiB5/yTdybABJm8yEyCV4XZKkTywJdVIrNz6HKucW4D1nEG1NECQQDD
rHGZZRxiYu3PN3MJX5lrEEVb/3qnUnHtpfa7vH2k2uQX1jl6icQoJG2QExmnEC7B
atZBascXcMcFoe5Es0HvAkA+ZvsDu9ekhEiYdE6SQOswVCxZEZhvthe7B2PIQCoK
wb8OuImE/GZDi+EC0z9I/qi8IezQgnY+ZfAEu47Dd90l
-----END RSA PRIVATE KEY-----
To test a private key in PKCS#8 format, the best way to go about this is to use -inform DER instead of converting to base 64.
Base64 is only part of the PEM format. It can requires the headers to be present as well. Sometimes the keys can be concatenated as well. You need to add the headers yourself if you want to verify the private key using PEM.
Also note that OpenSSL already has conversion routines and base64 encoding build in, even on the command line.
As a side note, I don't understand why you want to check the correctness of the output of one single program. If you really want to test correctness, you could think of performing a sign/verify or encrypt/decrypt using the public and private key.