Use ssh-format key
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
Use ssh-format key
by Jameson "Chema" Quinn
::
Rate this Message:
I have a public key in the following format:
ssh-dss AAAAB3NzaC1kc3MAAACBANp8I4YOSRlhoLGkHzRL1n0oOyrZUpJwxAv2nYgfeFtCxGT1V3S5yPchB/eQhOlh2qsRD9C85FFQPhIIoGhcFObQ8JApDhGC7Ry/9rU+kygRMvc5QwKR2nmGHb2S8NV8GwqAZXfYCM9IEwErS8BY+H0PGzJtBXw926fwz7YgJmZLAAAAFQCzrVxVqen0ZQ08EimzTtBimRvvAwAAAIBGqpPGAw9fUcBRMlAGSUMDRthh+vKg5HJx52rupinjpZrptdgSpJRTtQXebAbB0rWQgMh5o/sYZzpHurfFJVKzjdrpBFji2FnCsO5zThSuCn07oDHidr9JEgJ/lHwHB57JQX6f+PT2KK6/N7rw2kwF1+mZDgWbhjxA1AZC4KSUgQAAAIBT41q0iIYSRJD6rB7ywN9rXCVwNtcG/Y8U/Bqh1cc4lYb9R5hNcRSqAkgis0BFxpM3frzZKpgdyX/I7HScGpbiGUlBFf/sX3YnUFsfHHg+OnuVqYzlKL8iEfP+RTpeqnHV/AdWOUELVJzHqk7FD31Tf+IGbt25vI3FjEDkQWYpdg= = that is, "ssh-dss " followed by a base64-encoded blob which has the following five values, each preceded by their length in bytes: *"ssh-dss" (again, this time no space) *the four integers that dss uses (p,q,g,y). This is the format outputted by: ssh-keygen -q -t dsa -f %s -C '' -N '' (actually, this is the command used by the Sugar environment for OLPC to make keys, I am trying to use these keys for signatures. Certainly this seems to be a pretty standard way to make a key). If I try openssl dgst -dss1 -verify ... with this key, I get the message "unable to load key file" Is there any way for me to convert this to a valid key format? If not, is it possible that openssl might/should gain the capability to read this format? I can even make an attempt to write this into openssl myself, but it has been some time since I wrote C and I would really appreciate some pointers from somebody who knows the code as to where I need to change it. Thanks, Jameson |
|
|
Re: Use ssh-format key
by jimmy bahuleyan
::
Rate this Message:
Jameson "Chema" Quinn wrote:
> I have a public key in the following format: > > ssh-dss > AAAAB3NzaC1kc3MAAACBANp8I4YOSRlhoLGkHzRL1n0oOyrZUpJwxAv2nYgfeFtCxGT1V3S5yPchB/eQhOlh2qsRD9C85FFQPhIIoGhcFObQ8JApDhGC7Ry/9rU+kygRMvc5QwKR2nmGHb2S8NV8GwqAZXfYCM9IEwErS8BY+H0PGzJtBXw926fwz7YgJmZLAAAAFQCzrVxVqen0ZQ08EimzTtBimRvvAwAAAIBGqpPGAw9fUcBRMlAGSUMDRthh+vKg5HJx52rupinjpZrptdgSpJRTtQXebAbB0rWQgMh5o/sYZzpHurfFJVKzjdrpBFji2FnCsO5zThSuCn07oDHidr9JEgJ/lHwHB57JQX6f+PT2KK6/N7rw2kwF1+mZDgWbhjxA1AZC4KSUgQAAAIBT41q0iIYSRJD6rB7ywN9rXCVwNtcG/Y8U/Bqh1cc4lYb9R5hNcRSqAkgis0BFxpM3frzZKpgdyX/I7HScGpbiGUlBFf/sX3YnUFsfHHg+OnuVqYzlKL8iEfP+RTpeqnHV/AdWOUELVJzHqk7FD31Tf+IGbt25vI3FjEDkQWYpdg= > = > > that is, "ssh-dss " followed by a base64-encoded blob which has the > following five values, each preceded by their length in bytes: > *"ssh-dss" (again, this time no space) > *the four integers that dss uses (p,q,g,y). > > This is the format outputted by: > ssh-keygen -q -t dsa -f %s -C '' -N '' > (actually, this is the command used by the Sugar environment for OLPC to > make keys, I am trying to use these keys for signatures. Certainly this > seems to be a pretty standard way to make a key). > > If I try > openssl dgst -dss1 -verify ... > with this key, I get the message "unable to load key file" > > Is there any way for me to convert this to a valid key format? If not, > is it possible that openssl might/should gain the capability to read > this format? I can even make an attempt to write this into openssl > myself, but it has been some time since I wrote C and I would really > appreciate some pointers from somebody who knows the code as to where I > need to change it. > > Thanks, > Jameson > Well the key is in SSH format, have you tried any of the ssh utilities? Say does 'ssh-keygen -e' do what your looking for? If you want to write C code to convert the key, the format is described in RFC 4253, and you might want to look at the EVP_PKEY_* functions and load_pubkey() in apps/apps.c (and maybe PEM_read_bio_PUBKEY() for reference). -jb -- Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@... |
|
|
|
|
|
Q about ssleay_rand_add Vul. and command line openssl req tool
by Harakiri
::
Rate this Message:
Hello,
i've not digged through the whole openssl source yet - but it seems to me that the recent Debian Issue with the ssleay_rand_add method here http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c does not affect the command line tool when called with openssl req -config $MY_CONFIG -noout -x509 -newkey rsa:$MY_KEY_LENGTH (in contrast to openssl genrsa) where in $CONFIG *no* RANDFILE is defined. AFAIK the method in question is never called from the request command line utility. And by default - the /root/.rnd or $HOME/.rnd file is always used if no RANDFILE is given. Anyone can answer this? Thanks ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@... |
|
|
RE: Q about ssleay_rand_add Vul. and command line openssl req tool
by David Schwartz
::
Rate this Message:
Harakiri wrote: > i've not digged through the whole openssl source yet - but it > seems to me that the recent Debian > Issue with the ssleay_rand_add method here > http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_ra > nd.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand > .c&p2=/openssl/trunk/rand/md_rand.c > > does not affect the command line tool when called with > > openssl req -config $MY_CONFIG -noout -x509 -newkey rsa:$MY_KEY_LENGTH > (in contrast to openssl genrsa) > where in $CONFIG *no* RANDFILE is defined. > > AFAIK the method in question is never called from the request > command line utility. And by default > - the /root/.rnd or $HOME/.rnd file is always used if no RANDFILE > is given. It seems that in this case, the modified method is never called. The random data comes from /dev/urandom and/or ~/.rnd. The only possible problem I can think of is if the data in ~/.rnd traced to output from a buggy RNG, possibly from previous invocations of the buggy OpenSSL. DS PS: There are so many things wrong with that commit, it's almost hard to list them all. Did anyone even notice that half of that commit has no effect unless 'PURIFY' is defined, and it obviously wasn't tested with 'PURIFY' defined because it wouldn't even compile. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@... |
|
|
Re: Use ssh-format key
by jimmy bahuleyan
::
Rate this Message:
Jameson "Chema" Quinn wrote:
> Jameson "Chema" Quinn wrote: > > I have a public key in the following format: > > > ssh-dss > AAAAB3NzaC1kc3MAAACBANp8I4YOSRlhoLGkHzRL1n0oOyrZUpJwxAv2nYgfeFtCxGT1V3S5yPchB/eQhOlh2qsRD9C85FFQPhIIoGhcFObQ8JApDhGC7Ry/9rU+kygRMvc5QwKR2nmGHb2S8NV8GwqAZXfYCM9IEwErS8BY+H0PGzJtBXw926fwz7YgJmZLAAAAFQCzrVxVqen0ZQ08EimzTtBimRvvAwAAAIBGqpPGAw9fUcBRMlAGSUMDRthh+vKg5HJx52rupinjpZrptdgSpJRTtQXebAbB0rWQgMh5o/sYZzpHurfFJVKzjdrpBFji2FnCsO5zThSuCn07oDHidr9JEgJ/lHwHB57JQX6f+PT2KK6/N7rw2kwF1+mZDgWbhjxA1AZC4KSUgQAAAIBT41q0iIYSRJD6rB7ywN9rXCVwNtcG/Y8U/Bqh1cc4lYb9R5hNcRSqAkgis0BFxpM3frzZKpgdyX/I7HScGpbiGUlBFf/sX3YnUFsfHHg+OnuVqYzlKL8iEfP+RTpeqnHV/AdWOUELVJzHqk7FD31Tf+IGbt25vI3FjEDkQWYpdg= > > > = > > that is, "ssh-dss " followed by a base64-encoded blob which has the > following five values, each preceded by their length in bytes: > > *"ssh-dss" (again, this time no space) > *the four integers that dss uses (p,q,g,y). > Well, this part here is defined in RFC 4253. The other formats used to store them are described across various docs. > > ........... > > I have tried everything I can think of - all combinations of ssh-keygen -if, -ef; openssl dgst -keyform P,S,1,... The problem is > that I do not really know what I'm aiming for, as I have no example of signatures working - I can make a signature, but I cannot > > verify it. As to fixing openssl to read this format natively, I have looked around the code, and am stuck on EVP_PKEY_DSAX - there > 5 versions and I do not know which one to use. > > I guess that I will figure that latter problem out eventually, but I really could use a working keypair for comparison. If I could > > visually compare in order to figure out the problem with ssh-keygen -e I could just keep two copies of the public key for now. > > Are you sure that the format is RFC4253? This is the same format as the ssh key, without the -----BEGIN stuff; but when I > > that stuff manually it does not work. > > Well I'm not sure signing/verifying with ssh keys constitutes a valid use-case; maybe you could describe what you want in detail. In case your problems pertain to dealing with ssh key formats and using them, you maybe better off asking this on the openssh list. [If you just want to programmatically sign/verify using ssh keys that should be easy enough; openssh uses openssl for the cryptographic ops. I gather that you're stuck at making a key structure out of the blob. Take a look at key.c,key.h in the openssh sources] -jb -- Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@... |
| Free Forum Powered by Nabble | Forum Help |