viraptor February 2016

pkcs11-tool doesn't recognise RSA key

pkcs11-tool fails to import the RSA private key, even though it's parsed correctly by openssl. It fails with:

error: OpenSSL error during RSA private key parsing
Aborting.

The key is already in the DSA format and I'm trying to import it using:

pkcs11-tool --module ... -y privkey --slot ... -w some/path.der -l --id ...

Answers


viraptor February 2016

The RSA private key may be encoded in DER in two ways. Either it has a heading defining what key it is, or it may be just a list of fields (as defined by PKCS#1 RSAPrivateKey sequence). openssl command itself handles both forms transparently in most cases, but d2i_RSAPrivateKey does not. It expects the RSAPrivateKey sequence to be directly available.

The required file can be generated from either DER or PEM format file. It's done using openssl rsa -in ... -outform DER -out ...

The wrapped format looks like this in openssl asn1parse output:

 0:d=0  hl=4 l=2370 cons: SEQUENCE          
 4:d=1  hl=2 l=   1 prim: INTEGER           :00
 7:d=1  hl=2 l=  13 cons: SEQUENCE          
 9:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
20:d=2  hl=2 l=   0 prim: NULL              
22:d=1  hl=4 l=2348 prim: OCTET STRING      [HEX DUMP].....

The unwrapped one looks like this:

  0:d=0  hl=4 l=2344 cons: SEQUENCE          
  4:d=1  hl=2 l=   1 prim: INTEGER           :00
  7:d=1  hl=4 l= 513 prim: INTEGER           :...
524:d=1  hl=2 l=   3 prim: INTEGER           :010001
529:d=1  hl=4 l= 513 prim: INTEGER           :...

Post Status

Asked in February 2016
Viewed 1,362 times
Voted 7
Answered 1 times

Search




Leave an answer