rynomad / subtle

MIT License
25 stars 7 forks source link

Unable to open generated key with OpenSSL #2

Open mitar opened 8 years ago

mitar commented 8 years ago

I am using the following code to generate a pair key:

var fs = require('fs');
var SubtleCrypto = require('subtle');

SubtleCrypto.generateKey({
  name: 'RSASSA-PKCS1-v1_5',
  modulusLength: 4096,
  publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
  hash: {name: 'SHA-256'}
}, true, ['sign', 'verify'])
.then(function (keyPair) {
  SubtleCrypto.exportKey('spki', keyPair.publicKey)
  .then(function (publicKey) {
    fs.writeFileSync('public.der', new Buffer(publicKey));
  });
  SubtleCrypto.exportKey('pkcs8', keyPair.privateKey)
  .then(function (privateKey) {
    fs.writeFileSync('private.der', new Buffer(privateKey));
  });
});

But I am unable to open them and display them with OpenSSL:

openssl x509 -inform der -in public.der -noout -text
unable to load certificate
43845:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/asn1/tasn_dec.c:1341:
43845:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/asn1/tasn_dec.c:845:
43845:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/asn1/tasn_dec.c:765:Field=serialNumber, Type=X509_CINF
43845:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/asn1/tasn_dec.c:765:Field=cert_info, Type=X509
openssl x509 -inform der -in private.der -noout -text
unable to load certificate
43936:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/asn1/tasn_dec.c:1341:
43936:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/asn1/tasn_dec.c:385:Type=X509_CINF
43936:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/asn1/tasn_dec.c:765:Field=cert_info, Type=X509

Am I doing something wrong or does Subtle crypto not use standard formats?

mitar commented 8 years ago

cc @wh0

rynomad commented 8 years ago

the pkcs8 format is not 1:1 compatible with OpenSSL DER format, AFAIK. There's some extra padding involved with pkcs8 specifically. you might be able to use Forge, which is used internally in subtle, to get thinks into the format you're looking for. A good starting point would be src/node/algorithms/shared/RSA.js in this repo, where you can see some of the forge usage for importing/exporting keys.

sorry I can't be of more help, I built this repo as a very thin API wrapper over other libraries simply to shoehorn the same crypto API in node/browser, so if you're looking for more thorough implementations you may be better served by forge or pkijs.org

rmhrisk commented 8 years ago

You can concert the key to an PKCS8 with a command similar to this:

openssl pkcs8 -topk8 -v2 aes-256-cbc -out key.pem -in inkey.pem

rynomad commented 8 years ago

+1 Thanks @rmhrisk

rmhrisk commented 8 years ago

Tangentally related you may find this post interesting: https://unmitigatedrisk.com/?p=543

mitar commented 8 years ago

This does not work? So for the above script, if I run:

openssl pkcs8 -topk8 -v2 aes-256-cbc -out key.pem -in private.der

I get:

unable to load key
39597:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY
mitar commented 8 years ago

It seems the issue is that for Webcrypto a header is being added to the file. If I remove that PKCS header from the file (first 26 bytes) then I can open it nicely. This is also what importing the file in this library does. Removes the header and then reads it with forge library.