OpenSSL vs SPKI

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL vs SPKI

Jason Proctor-2
Distinguished crypto community,

I have the requirement to import RSA keypairs generated by the Amazon
Key Management System into my environment. These keypairs arrive in
the de facto standard of SPKI for the public component and PKCS8 for
the private component.

I have no problem with the PKCS8 encoded private keys, they seem fine
when imported using d2i_PKCS8_PRIV_KEY_INFO_bio().

However, I'm having issues importing the SPKI encoded public keys. My
Java test program imports them fine. The Js Web Crypto API is happy
with them. Online ASN.1 parsers are fine with them. The OpenSSL
command line tool can dump their contents, no problem. However, the
d2i_NETSCAPE_SPKI() function errors out trying to deal with them.

Back in the day I had a hack to import SPKI encoded public keys, as I
knew their structure. I would just set the modulus and exponent
directly using BN_bin2bn(). However these days it seems that the RSA
structure is opaque, and so I can't do that either. (I mean fair
enough, it's a hack.)

Question -- is there a supported way of importing SPKI encoded public
keys into the OpenSSL world?

thanks so much for any help with this,
Jason@Spatial
EAY/OpenSSL user since 1995
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL vs SPKI

William Roberts


On Mon, Apr 6, 2020, 9:16 PM Jason Proctor <[hidden email]> wrote:
Distinguished crypto community,

I have the requirement to import RSA keypairs generated by the Amazon
Key Management System into my environment. These keypairs arrive in
the de facto standard of SPKI for the public component and PKCS8 for
the private component.

I have no problem with the PKCS8 encoded private keys, they seem fine
when imported using d2i_PKCS8_PRIV_KEY_INFO_bio().

However, I'm having issues importing the SPKI encoded public keys. My
Java test program imports them fine. The Js Web Crypto API is happy
with them. Online ASN.1 parsers are fine with them. The OpenSSL
command line tool can dump their contents, no problem. However, the
d2i_NETSCAPE_SPKI() function errors out trying to deal with them.

Back in the day I had a hack to import SPKI encoded public keys, as I
knew their structure. I would just set the modulus and exponent
directly using BN_bin2bn(). However these days it seems that the RSA
structure is opaque, and so I can't do that either. (I mean fair
enough, it's a hack.)

There's setter functions now. See:

So I have no idea about the spki function, but if you have the rsa private key can't you get the public key from it? I would just look at what API the rsa command line tool is using. I would imagine there is a high level API for this.

Question -- is there a supported way of importing SPKI encoded public
keys into the OpenSSL world?

thanks so much for any help with this,
Jason@Spatial
EAY/OpenSSL user since 1995
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL vs SPKI

Jason Proctor-2
On Mon, Apr 6, 2020 at 9:44 PM William Roberts <[hidden email]> wrote:
>
>
> There's setter functions now. See:
> https://www.openssl.org/docs/man1.1.0/man3/RSA_set0_key.html

Thanks, yes it does look like that replaces direct access to "n" and
"e". It's a hack, but it might work for the moment.

Ideally though I wouldn't be reliant on offsets into the binary SPKI
structure :-)

any help with SPKI welcome!
J
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL vs SPKI

William Roberts


On Mon, Apr 6, 2020, 11:59 PM Jason Proctor <[hidden email]> wrote:
On Mon, Apr 6, 2020 at 9:44 PM William Roberts <[hidden email]> wrote:
>
>
> There's setter functions now. See:
> https://www.openssl.org/docs/man1.1.0/man3/RSA_set0_key.html

Thanks, yes it does look like that replaces direct access to "n" and
"e". It's a hack, but it might work for the moment.

Ideally though I wouldn't be reliant on offsets into the binary SPKI
structure :-)

I don't think I would consider it a hack necessarily. I work on the TPM stack and have to convert TPM structures to RSA public key structures for ooenssl to utilize, and we use this routine along the way. I would imagine theirs a higher level public from private routine you can call. I would dissect what:
openssl rsa -in mykey.pem -pubout > mykey.pub
Is doing

any help with SPKI welcome!
J
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL vs SPKI

Viktor Dukhovni
In reply to this post by Jason Proctor-2
On Mon, Apr 06, 2020 at 07:16:23PM -0700, Jason Proctor wrote:

> However, the d2i_NETSCAPE_SPKI() function errors out trying to deal
> with them.

That's not the droid you're looking for.

> Question -- is there a supported way of importing SPKI encoded public
> keys into the OpenSSL world?

Yes.  That'd be d2i_PUBKEY(3):

    https://www.openssl.org/docs/man1.1.1/man3/d2i_PUBKEY.html

For example:

    https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L398-L404

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL vs SPKI

Jason Proctor-2
On Mon, Apr 6, 2020 at 11:03 PM Viktor Dukhovni
<[hidden email]> wrote:
>
> > Question -- is there a supported way of importing SPKI encoded public
> > keys into the OpenSSL world?
>
> Yes.  That'd be d2i_PUBKEY(3):
>
>     https://www.openssl.org/docs/man1.1.1/man3/d2i_PUBKEY.html
>

Perfect! Thanks so much.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL vs SPKI

Jason Proctor-2
In reply to this post by William Roberts
On Mon, Apr 6, 2020 at 10:03 PM William Roberts
<[hidden email]> wrote:
>
>
>
> I don't think I would consider it a hack necessarily. I work on the TPM stack and have to convert TPM structures to RSA public key structures for ooenssl to utilize, and we use this routine along the way. I would imagine theirs a higher level public from private routine you can call. I would dissect what:
>
> openssl rsa -in mykey.pem -pubout > mykey.pub
>
> Is doing

Thanks for the help. Turns out, d2i_PUBKEY() does exactly the thing.
The advantage over picking BIGNUMs out of the SPKI bundle is that the
code doesn't need to know the key size.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL vs SPKI

Viktor Dukhovni
On Tue, Apr 07, 2020 at 10:00:05AM -0700, Jason Proctor wrote:

> Turns out, d2i_PUBKEY() does exactly the thing.
> The advantage over picking BIGNUMs out of the SPKI bundle is that the
> code doesn't need to know the key size.

It is also algorithm independent.  Works not only with RSA, but also
with DSA (deprecated), ECDSA, EdDSA, and any future public key types.

--
    Viktor.