Open gtaban opened 7 years ago
@gtaban: What is the header on the RSA private key?
For the EC key, could you try changing the header to BEGIN EC PRIVATE KEY
? It seems that notary 0.4.3 doesn't recognize the current header
Hi @riyazdf
Header on RSA private key is: -----BEGIN RSA PRIVATE KEY-----
I made the change to EC key and it didn't work. Does it work for you?
$ more /Users/gtaban/.index/keys/delegated_keys/recently_released_private.pem
-----BEGIN EC PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQghH5BjQzfUWthBU2f
EHA9wDZTM2uD0W8UHxsjaIcIkp2hRANCAASwRdqC046A0uPgaI9WA+E90fiNpW19
QOnGrnlkmqkcz819yrCca66E50Mv9A3q48XSvjwozSp17Iq6451tIhRy
-----END EC PRIVATE KEY-----
$ notary -s https://notary-server:4443 -d ~/.index/trust key import /Users/gtaban/.index/keys/delegated_keys/recently_released_private.pem --role targets/recently_released -D
DEBU[0000] Using the following trust directory: /Users/gtaban/.index/trust
INFO[0000] failed to import key to store: Invalid key generated, key may be encrypted and does not contain path header
ok so it seems the problem is the default format of the keys which was changed in OpenSSL 1.0. From OpenSSL 1.0 change log:
Make PKCS#8 the default write format for private keys, replacing the traditional format. This form is standardised, more secure and doesn't include an implicit MD5 dependency. [Steve Henson]
So all keys (RSA, EC, etc) that are generated using the newer OpenSSL will fail with the current Notary.
I ran the following commands to convert both an RSA key as well as EC key format from PKCS#8 to PKCS#1 and import works for both of them:
openssl ec -in ec_key.pkcs8.pem -out ec_key.pkcs1.pem
openssl rsa -in rsa_key.pkcs8.pem -out rsa_key.pkcs1.pem
I guess Notary needs to figure out what format the key is in and process differently.
Also, given that High Sierra has gone from OpenSSL 0.9.8zh to LibreSSL 2.2.7, the new key format will likely be more common than the traditional. Transition will take a while though...!
@gtaban – ah, thanks for digging into this!
We've recently merged PKCS8 support into master, if you wanted to try that :) Note: the layout of keys on disk will change, so once you upgrade to a newer version, the client will perform migrations and older versions of Notary may not be forwards-compatible.
No worries, it was fun :-) I'll definitely give master branch a go -- once I solve my other issues!!
I have setup notary client and server and am trying to import keys for my delegated roles. I am using OpenSSL (1.0.2g)
If I create RSA keys, import works OK.
If I create EC keys, import FAILS:
When we import without -D, it doesn't produce any errors although the key is not listed as being imported. With -D, import fails:
I am attaching the EC keys here if that is helpful. Archive.zip
Any help would be much appreciated.