I am used to generate keys with OpenSSL via shell, this way:
my $ssk="a29bRwoA73xZGeBc";
openssl req -new -newkey rsa:2048 -nodes -keyout "/etc/ssl/$ssk.key" -out "/etc/ssl/$ssk.csr"
openssl x509 -req -days 365 -in "/etc/ssl/$ssk.csr" -signkey "/etc/ssl/$ssk.key" -out "/etc/ssl/$ssk.crt"
Now I need to perform this action via PERL, but I have no idea if the below code can at least implement the 1st line:
my $ssk="a29bRwoA73xZGeBc";
# I didn't use Crypt::OpenSSL::Random, as I didn't found where it comes to action
use Crypt::OpenSSL::RSA;
my $rsa=Crypt::OpenSSL::RSA->generate_key(2048);
my $rsa_pub=Crypt::OpenSSL::RSA->new_public_key($rsa->get_public_key_x509_string());
my $rsa_prv=Crypt::OpenSSL::RSA->new_private_key($rsa->get_private_key_string());
my $cipher=$rsa->encrypt($rsa_pub);
my $plain=$rsa->encrypt($cipher);
my $sigt=$rsa_prv->sign($plain); # This seems to be part of the 2nd line in shell code, but maybe I am wrong.
unless($rsa->verify($plain,$sigt)) { die "Failed to create keys"; }
# Here is the issue:
&SaveFile("/etc/ssl/$ssk.key",$plain,0400); # Is it correct?
&SaveFile("/etc/ssl/$ssk.csr",$cipher,0400); # How about this?
# How do I proceed to implement the 2nd line in the shell code?
Note that the part of Crypt::OpenSSL::Random and saving to key files is not docmented...
Thanks a lot
Related
so I am learning X.509 certificates and I got a certificate from a random site with openssl, now it is in PEM format, and for example when I open the PEM in a text viewer, I can see it in it's pure PEM view, and I know how to decode it in openssl to see what it actually says.
But when I convert it into a DER format with this
openssl x509 -in cert.pem -out cert.der -outform DER
I get a DER file and when I view it in a text editor I don't get the binary view.
Is there a way to see the binary view of DER?
Thank you in advance,
Dubbed_Kiwi
Use the following:
openssl x509 -inform der -in CERTIFICATE.der -text -noout
I use the following command in Powershell to sign a base64 encoded string. It is reading currently from a file. Can I also let it directly take it from a variable?
openssl dgst -sha256 -sign jwtRS256.key -binary $payload | openssl enc -base64 -
It works if I use the following:
openssl dgst -sha256 -sign jwtRS256.key -binary payload.b64 | openssl enc -base64 -A
Maybe it is very simple or it is not possible what I try to achieve.
This line is part of some steps that I try to follow to sign a concatenate of header.payload for JWT geneartion by using openssl.
I have a x509 .der certificate that I need to concatenate to a .bin package. The problem is that if I use
cat mycert.der >> package.bin
some of the characters in the certificate are changed. Is there a way to export the certificate in a .bin file using openssl or something? I am using Windows powershell to run commands.
The redirection operator in PowerShell (> or >>) messes up your binary data, because it applies some encoding based on $OutputEncoding. Piping between Get-Content and Set-/Add-Content does not modify your data.
So you can use
Get-Content mycert.der -Raw | Add-Content package.bin -NoNewline
to append your certificate to your binary as binary data. You need -Raw so that PowerShell will preserve any CR/LF bytes and you need -NoNewline to prevent PowerShell from adding an own CR/LF at the end.
maybe because of windows powershell cat replaces line ending \n into \r\n, can you try to copy file instead
otherwise to convert certificates
from man openssl and man x509
...
Convert a certificate from PEM to DER format:
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
Convert a certificate to a certificate request:
openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
Convert a certificate request into a self signed certificate using extensions for a CA:
openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
-signkey key.pem -out cacert.pem
...
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
I am new to perl so this might be very basic, but i am finding no way around this problem. I am trying to sign my data which has to be send over https connection using my ssh private key(id_rsa). I am not able to do so using perl and i am at it for days. Please someone show me a possible way to do so. If any more info is needed please ask me. Thanks in advance
My code as asked is
#!/usr/bin/perl
use File::Slurp qw(read_file);
use Crypt::OpenSSL::RSA;
use MIME::Base64 qw( decode_base64 encode_base64 );
my $keystring = read_file( 'id_rsa' );
my $privatekey = Crypt::OpenSSL::RSA->new_private_key($keystring);
$privatekey->use_pkcs1_padding();
my $datatosign = "hello";
my $signature = $privatekey->sign($datatosign);
my $base64 = encode_base64($signature);
print "$base64";
The error coming on running it is RSA.xs:178: OpenSSL error: unsupported encryption at test.pl line 7.
NOTE: As discussed in the comments, I am using a passphrase protected id_rsa.
So, leaving out the perl, and just doing this by hand with openssl
Checking the key:
ssh-keygen -t rsa -f test_id
openssl rsa -in test_id -check
RSA key ok
So we do have a 'valid' RSA private key there, which we should be able to use for encrpyting.
Generating a comparison key
However if you use openssl to generate a key pair
openssl genrsa -out openssl_gen_rsa
openssl rsa -in openssl_gen_rsa -pubout -out openssl_gen_rsa.out
Looks like the command you need is:
openssl rsautl -inkey test_id -in test_file.txt -encrypt -out test_file.enc
(That encrypts with the private key, so you'd decrypt with the public key - that's actually pretty similar to signing - normally you wouldn't do this).
The problem is - if you compare your generated -public- keys they don't match. test_id.pub looks like (Yes, this is the real one, and no, I did only use it for testing!)
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKfjRD+Gb5EE+SgOy7eoT0siQaAqfSY7KI2wkdrdygnJ+ccW/uMCtCVPhpz00u3EW2Gz1WI DteLKppjvUem1lKb8Tt2EWBQGyFOYKp44r3AJZgTcxLeDdqSUoiPsjWf1aUqy2Z1fBgtG+QOa7bpA8km6CbsORYX/TVg4B6vvdkkH K8WcmzBBF3rGsTCM3VXPp56bPoMCbwCsXvIjejmq+JdGHyxUmCxe1PrPyvmoYX3OUqpFBYIjeLWGDI9EXS6jA/r7viIAxdllvulPg IJ+4mdYzKN+T1ME0X0c+ZdFTMdeUnB9/TZmJr1j8Q/4SQm+3J9CiwtVXKxdkDsDObkcDp root#raspberrypi
Where my generated key file looks like:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8i33AuEp1wqbJgkEsnOmQim3
QT76B/oxsVGfJEDX3h4A6CD+ypBbfhhIn0GlfHanYvcGlpOJIlk3fzspbZNeoPJS
T4a0zQ0z8uJkugl8utyl9WR4tpgBRmzXZ42T/f4QSNqjDxUidRp5zPnXs9aRDtWb
XptswiGL3eVHMpbSnwIDAQAB
-----END PUBLIC KEY-----
I can use my generated pair (encrypting using public key, decrypting using private):
openssl rsautl -inkey openssl_gen_rsa.out -pubin -in test_file.txt -encrypt -out test_file.enc2
openssl rsautl -inkey openssl_gen_rsa -in test_file.enc2 -decrypt
This works.
Turning your OpenSSH private key into an RSA public key
So if we run your ssh private key through openssl:
openssl rsa -in test_id -pubout -out test_id.openssl.pub
We get:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyn40Q/hm+RBPkoDsu3qE
9LIkGgKn0mOyiNsJHa3coJyfnHFv7jArQlT4ac9NLtxFths9ViA7XiyqaY71HptZ
Sm/E7dhFgUBshTmCqeOK9wCWYE3MS3g3aklKIj7I1n9WlKstmdXwYLRvkDmu26QP
JJugm7DkWF/01YOAer73ZJByvFnJswQRd6xrEwjN1Vz6eemz6DAm8ArF7yI3o5qv
iXRh8sVJgsXtT6z8r5qGF9zlKqRQWCI3i1hgyPRF0uowP6+74iAMXZZb7pT4CCfu
JnWMyjfk9TBNF9HPmXRUzHXlJwff02Zia9Y/EP+EkJvtyfQosLVVysXZA7Azm5HA
6QIDAQAB
-----END PUBLIC KEY-----
Which isn't even a remotely similar encoding to the id_rsa.pub file - and I think therefore why you have this problem.
openssl rsautl -inkey test_id.openssl.pub -pubin -in test_file.txt -encrypt -out test_file.openssl.pub.enc
Now works, and you can decrypt it using your test_id private key:
openssl rsautl -inkey test_id -in test_file.openssl.pub.enc -decrypt
So yes - for some reason the public key generated by ssh-keygen isn't the same format as openssl is expecting, so it's not going to work.
using an openssh key to verify
Anyway, back to your original example - using the private key to generate a signature:
openssl rsautl -sign -inkey test_id -in test_file.txt -out test_file.sig
openssl rsautl -verify -in test_file.sig -inkey test_id.openssl.pub -pubin
But the verify step won't work using the generated ssh key.
So does this answer your question as to whether it's possible? I'm afraid I don't know how the ssh public key differs from a 'normal' rsa public key.
I suspect your code therefore doesn't even need to be as complicated as it - I don't think you need to pkcs pad your key file.
E.g.
#!/usr/bin/perl
use strict;
use warnings;
use File::Slurp qw(read_file);
use Crypt::OpenSSL::RSA;
use MIME::Base64 qw( decode_base64 encode_base64 );
my $keystring = read_file ('test_id');
my $privatekey = Crypt::OpenSSL::RSA->new_private_key($keystring);
my $datatosign = "hello";
my $signature = $privatekey->sign($datatosign);
my $base64 = encode_base64($signature);
print "Signature:\n";
print "$base64";
my $public_key_text = $privatekey-> get_public_key_string();
print "Public Key:\n";
print $public_key_text;
my $rsa_pub = Crypt::OpenSSL::RSA->new_public_key ( $public_key_text );
print "Signed correctly\n" if ($rsa_pub->verify($datatosign, decode_base64($base64)));
This seems to work. (note lack of pkcs padding line).
Encrypted private key (passphrase)
Following from comments:
If your id_rsa has a passphrase set you'll have something like this:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,B44716076DD8B7D2B5E909BB8F70B48B
You can decrypt this by hand using openssl again:
openssl rsa -in test_id.enc
Enter pass phrase for test_id.enc:
Or:
openssl rsa -in test_id.enc -passin pass:testpass
I'm less sure how you do this using Crypt::OpenSSL::RSA - there doesn't seem to be any option to specify a passphrase to a private key.
I think you therefore need to use Crypt::CBC to decrypt the private key first. I can't test this, because I've got a load of dependencies to install.
A bit of googling suggests that you might be able to use Crypt::PK::RSA instead.
And as an alernative - use IPC::Open2 and start an openssl process to do the things without using libraries at all.
e.g.
my $keystring = `openssl rsa -passin pass:testpass -in test_id.enc`;
Not very nice, but it'll work. (and test it does actually work)
Currently in my project DSA signature is being generated via perl and verified via perl on other server. It works fine.
Some days ago i've tried to migrate one service from perl to php, and found that php generates signs, that perl is not able to verify. More over, if i generate sign in console (with openssl command) - perl also says that signature is not valid.
So, it looks like that:
PHP Signature <= ok => console signature <= not ok! => perl signature
Why this is happening?
Private key, that is being used for signing is the same.
Perl code:
my $pk = Crypt::OpenSSL::DSA->read_priv_key('private.key');
print encode_base64( $pk->sign( md5($data) ) );
PHP code:
$pk = openssl_get_privatekey('private key string');
openssl_sign(md5($data, true), $signature, $pk, OPENSSL_ALGO_DSS1));
echo base64_encode($signature);
Console code (verification):
openssl dsa -in private_key.pem -pubout -out dsa_public_key.pem
openssl dgst -dss1 -verify dsa_public_key.pem -signature sign.bin data.md5
Totally lost.. 2nd day i am not able to find any answer :(
Could you please advise a way to dig?
Please note that in your example you are doing double digest as you are signing: dss1(md5(message)) - where dss1 in fact means sha1
So, you create signature like this:
echo -n 'data you want to sign' | openssl dgst -md5 -binary | openssl dgst -dss1 -sign openssl_dsa1_pri.pem > signature.bin
You can verify it by openssl comman like this:
echo -n 'data you want to sign' | openssl dgst -md5 -binary | openssl dgst -dss1 -verify openssl_dsa1_pub.pem -signature signature.bin
Using Crypt::OpenSSL::DSA you can verify it like this:
my $signature = read_file("signature.bin");
my $message = 'data you want to sign';
my $pub = Crypt::OpenSSL::DSA->read_pub_key('openssl_dsa1_pub.pem');
warn "Verified=", $pub->verify(sha1(md5($message)), $signature), "\n";
Of course double digest is not necessary, you can use:
echo -n 'data you want to sign' | openssl dgst -dss1 -sign openssl_dsa1_pri.pem > signature2.bin
echo -n 'data you want to sign' | openssl dgst -dss1 -verify openssl_dsa1_pub.pem -signature signature2.bin
my $signature = read_file("signature2.bin");
my $message = 'data you want to sign';
my $pub = Crypt::OpenSSL::DSA->read_pub_key('openssl_dsa1_pub.pem');
warn "Verified=", $pub->verify(sha1($message), $signature), "\n";