search

kaikramer / keystore-explorer

KeyStore Explorer is a free GUI replacement for the Java command-line utilities keytool and jarsigner.
https://keystore-explorer.org/
GNU General Public License v3.0
1.7k stars 275 forks source link

Import of OpenSSl private key (pem) fails #191

Open jpstotz opened 5 years ago

jpstotz commented 5 years ago

Describe the bug I got an RSA private key in pem format that can't be loaded by KeyStore Explorer, however openssl rsa -text -in filename works without problems.

To Reproduce Steps to reproduce the behavior:

Expected behavior The details dialog should open displaying the RSA private key details

Actual behavior An error dialog is shown:

org.kse.crypto.CryptoException: Kein gültiger privater OpenSSL Schlüssel.
    at org.kse.crypto.privatekey.OpenSslPvkUtil.load(OpenSslPvkUtil.java:272)
    at org.kse.gui.dialogs.importexport.DImportKeyPairOpenSsl.loadPrivateKey(DImportKeyPairOpenSsl.java:418)
    at org.kse.gui.dialogs.importexport.DImportKeyPairOpenSsl.privateKeyDetailsPressed(DImportKeyPairOpenSsl.java:388)
    at org.kse.gui.dialogs.importexport.DImportKeyPairOpenSsl.access$100(DImportKeyPairOpenSsl.java:84)
    at org.kse.gui.dialogs.importexport.DImportKeyPairOpenSsl$2.actionPerformed(DImportKeyPairOpenSsl.java:192)
...

Guess of the problem It seems like KeyStore Explorer is searching for the line

-----BEGIN RSA PRIVATE KEY-----

but the attached file starts with the line

-----BEGIN PRIVATE KEY-----

This is also accepted by OpenSSL but not by KeyStore Explorer. You can verify that by changing the header and footer line in the attached file so that it contains "RSA". After modifying the file this way it can be loaded by KeyStore Explorer.

Environment

kaikramer commented 5 years ago

The header specifies the format of the content (s. here):

But in this case it's a PKCS#1 content with an PKCS#8 header.

Did you generate this file with OpenSSL?

jpstotz commented 5 years ago

Thanks for your clarification. But now I am even more confused as KeyStore Explorer only speaks of "OpenSSL keys" - which format is supported by KeyStore Explorer and which not? Fro my experience I would guess that PKCS#1 is supported but PKCS#8 keys are not supported? If this is correct why is this not communicated to the user?

Regarding my attached key: Originally the file I got seems to be a real PKCS#8 file, however the included private key is important (and therefore can't be posted) therefore I decided to generate a new one that could be posted. As I did not knew about the different formats and how they can be identified I generated the new key in the wrong format (and just changed the header/footer).

kaikramer commented 5 years ago

Both are supported, but if you select "OpenSSL" format on key import, then the PEM header has to be the one for PKCS#1. If you select PKCS#8, then KSE checks for PKCS#8 format:

grafik

jpstotz commented 5 years ago

From a usability perspective this is not good :(

As a user I only know that I have PEM file. PEM usually means OpenSSL. For PKCS#8 PEM files this will always fail. And additionally the error message shown does not indicate the real problem (wrong file format selected).

Therefore from my perspective I would propose the following changes:

  1. Change the term "OpenSSL" in the Import key Pair dialog to "PKCS#1 (OpenSSL)"
  2. Add a check for the text in the PEM header and display a warning if the header does not match the selected file format (something like "The currently selected file format is OpenSSL but the file indicates that it contains an PKCS#8 file. Do you really want to continue?")
kaikramer commented 5 years ago

And additionally the error message shown does not indicate the real problem

When the user has selected "OpenSSL" as the type of the private key and KSE fails to parse the file then the error message "Not a valid OpenSSL private key" is the best you can expect. If KSE was smart enough to detect that the format is actually PKCS#8, then it would make no sense to let the user choose the format in the first place.

Both suggested changes won't help much:

  1. You assume that someone who does not know what the format of a certain private key file is, does know what PKCS#1 is. Most people don't even know what PEM is.
  2. Again, someone who does not understand the current error message, won't understand the suggested message either. Also asking the user if he wants to continue makes no sense here, because this will always result in an error.

The best solution here seems to completely remove the dialog for format selection and let KSE detect the file type automatically. I'lll consider this for the next feature release (5.5.0).