DSA PVK Support?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

DSA PVK Support?

Sunny Raspet
Hello!

The changelog between 0.9.8a and 0.9.9 contains (in part) this entry:

        Integrated support for PVK file format and some related formats such
as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to
support these in the 'rsa' and 'dsa' utilities.
        [Steve Henson]

This is wonderful, thinks me, as I've been working for the past week on
a method of converting a DSA private key into a PVK (new software[0]
appears not to support any other format, and I have a mandate that our
SSH key *shall not change* in upgrade-to-be).

So I download and build a snapshot from tonight and get to work, but I
don't see the options in the DSA utility.  Grepping, I do see them in
the RSA utility:

rsa.c:  int pvk_encr = 2;
rsa.c:          else if (strcmp(*argv,"-pvk-strong") == 0)
rsa.c:                  pvk_encr=2;
rsa.c:          else if (strcmp(*argv,"-pvk-weak") == 0)
rsa.c:                  pvk_encr=1;
rsa.c:          else if (strcmp(*argv,"-pvk-none") == 0)
rsa.c:                  pvk_encr=0;
rsa.c:                  i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);


But unfortunately I have a DSA key; otherwise I'd already have taken
advantage of Mr. Henson's wonderful work (if you're reading this, thanks
for making that utility and your documentation available!)

So could someone please give me a whack with the clue-stick and tell me
how to use the DSA PVK file format support recently added?  I'm sure
it's in there, I just can't find it[1].

Thanks in advance!

[0]: GlobalScape Secure FTP Server, upgrading from F-Secure SSH.
[1]: It's been a long week, so go light with the clue stick, eh?

--
-Sunny Raspet
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: DSA PVK Support?

Dr. Stephen Henson
On Fri, Oct 07, 2005, Sunny Raspet wrote:

> Hello!
>
> The changelog between 0.9.8a and 0.9.9 contains (in part) this entry:
>
> Integrated support for PVK file format and some related
> formats such as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command
> line switches to support these in the 'rsa' and 'dsa' utilities.
> [Steve Henson]
>
> This is wonderful, thinks me, as I've been working for the past week on
> a method of converting a DSA private key into a PVK (new software[0]
> appears not to support any other format, and I have a mandate that our
> SSH key *shall not change* in upgrade-to-be).
>
> So I download and build a snapshot from tonight and get to work, but I
> don't see the options in the DSA utility.  Grepping, I do see them in
> the RSA utility:
>
> rsa.c:  int pvk_encr = 2;
> rsa.c:          else if (strcmp(*argv,"-pvk-strong") == 0)
> rsa.c:                  pvk_encr=2;
> rsa.c:          else if (strcmp(*argv,"-pvk-weak") == 0)
> rsa.c:                  pvk_encr=1;
> rsa.c:          else if (strcmp(*argv,"-pvk-none") == 0)
> rsa.c:                  pvk_encr=0;
> rsa.c:                  i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
>
>
> But unfortunately I have a DSA key; otherwise I'd already have taken
> advantage of Mr. Henson's wonderful work (if you're reading this, thanks
> for making that utility and your documentation available!)
>
> So could someone please give me a whack with the clue-stick and tell me
> how to use the DSA PVK file format support recently added?  I'm sure
> it's in there, I just can't find it[1].
>
> Thanks in advance!
>
> [0]: GlobalScape Secure FTP Server, upgrading from F-Secure SSH.
> [1]: It's been a long week, so go light with the clue stick, eh?
>

I haven't included command line options in the dsa utility for PVK
support. I'll look into it. I think the last time I generated a PVK file you
couldn't even produce one for DSA keys.

So you can be the first to test it :-)

I'm surprised that something needs PVK format for keys. Its a horriby insecure
format.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: DSA PVK Support?

Dr. Stephen Henson
In reply to this post by Sunny Raspet
On Fri, Oct 07, 2005, Sunny Raspet wrote:
>
> So could someone please give me a whack with the clue-stick and tell me
> how to use the DSA PVK file format support recently added?  I'm sure
> it's in there, I just can't find it.

Try the next snapshot and let me know the results. If it doesn't work and you
have or can generate a zero value test DSA PVK file please send it to me.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: DSA PVK Support?

Sunny Raspet
Dr. Stephen Henson wrote:
> On Fri, Oct 07, 2005, Sunny Raspet wrote:
>
>>So could someone please give me a whack with the clue-stick and tell me
>>how to use the DSA PVK file format support recently added?  I'm sure
>>it's in there, I just can't find it.
>
>
> Try the next snapshot and let me know the results. If it doesn't work and you
> have or can generate a zero value test DSA PVK file please send it to me.

First off, thanks for getting back to me and working on this so quickly!

Unfortunately, importing the key into the program does not work.  Since
the proprietary program gives no useful error message, I created a
completely new key in the proprietary program and tried to import it
with OpenSSL:

sunrafey@precious:/sunrafey% /usr/local/ssl/bin/openssl dsa -inform PVK
-in gstest.pvk
read DSA key
unable to load Private Key
unable to load Key
2495:error:09088074:PEM routines:DO_PVK_HEADER:bad magic

I *hope* the program uses DSA for new keys, but I don't know, and their
support refuses to tell me; I was only attempting to go the other way,
from our DSA key to a PVK file for this program.

Since it's a very small file, I'll go ahead and e-mail you the test key
I generated privately.

At this point, though, I'm pretty sure that they've been kind enough to
"extend" the format.

--
-Sunny Raspet
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: DSA PVK Support?

Dr. Stephen Henson
On Sun, Oct 09, 2005, Sunny Raspet wrote:

> Dr. Stephen Henson wrote:
> >On Fri, Oct 07, 2005, Sunny Raspet wrote:
> >
> >>So could someone please give me a whack with the clue-stick and tell me
> >>how to use the DSA PVK file format support recently added?  I'm sure
> >>it's in there, I just can't find it.
> >
> >
> >Try the next snapshot and let me know the results. If it doesn't work and
> >you
> >have or can generate a zero value test DSA PVK file please send it to me.
>
> First off, thanks for getting back to me and working on this so quickly!
>
> Unfortunately, importing the key into the program does not work.  Since
> the proprietary program gives no useful error message, I created a
> completely new key in the proprietary program and tried to import it
> with OpenSSL:
>
> sunrafey@precious:/sunrafey% /usr/local/ssl/bin/openssl dsa -inform PVK
> -in gstest.pvk
> read DSA key
> unable to load Private Key
> unable to load Key
> 2495:error:09088074:PEM routines:DO_PVK_HEADER:bad magic
>
> I *hope* the program uses DSA for new keys, but I don't know, and their
> support refuses to tell me; I was only attempting to go the other way,
> from our DSA key to a PVK file for this program.
>
> Since it's a very small file, I'll go ahead and e-mail you the test key
> I generated privately.
>
> At this point, though, I'm pretty sure that they've been kind enough to
> "extend" the format.
>

A quick look with a hex editor shows that its got an ASN1 structure in there
15 bytes into the file after some header info. Checking that with asn1parse
shows it looks like unencrypted PKCS#8. Using the pkcs8 utility confirms that
it is. And BTW it *is* a DSA key.

You can see this yourself by chopping off the first 15 bytes and doing:

openssl pkcs8 -inform DER -nocrypt -in rest.pvk

This suggests you may be able to convert to their format by converting the
private key to unencrypted PKCS#8 and prepending the header information.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: DSA PVK Support?

Sunny Raspet
Dr. Stephen Henson wrote:

> A quick look with a hex editor shows that its got an ASN1 structure in there
> 15 bytes into the file after some header info. Checking that with asn1parse
> shows it looks like unencrypted PKCS#8. Using the pkcs8 utility confirms that
> it is. And BTW it *is* a DSA key.
>
> You can see this yourself by chopping off the first 15 bytes and doing:
>
> openssl pkcs8 -inform DER -nocrypt -in rest.pvk
>
> This suggests you may be able to convert to their format by converting the
> private key to unencrypted PKCS#8 and prepending the header information.

This worked perfectly.  The program accepted the key with no trouble at
all after I did this.

Thank you so much for all your assistance with this--over a weekend, to
boot.  I really can't thank you enough!

--
-Sunny Raspet
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]