search

square / certstrap

Tools to bootstrap CAs, certificate requests, and signed certificates.
Apache License 2.0
2.31k stars 207 forks source link

Question on decrypting EC private keys #217

Open gstos opened 10 months ago

gstos commented 10 months ago

It's more a question than an issue per se. I am struggling to decrypt EC private keys generated by certstrap with OpenSSL via the command line. I've managed to do it with RSA keys easily. I tried using openssl pkey and openssl ec with similar syntaxes and the result is the same. I am sure the password is valid because this key belongs to an intermediate CA and I am able to sign CSRs using certstrap and the password. I am probably missing something very obvious here.

$ openssl pkcs8 -in encrypted.key -topk8 -nocrypt -out plain.key
Enter Password:
Could not find private key of key from encrypted.key
00D316E001000000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
00D316E001000000:error:0680009F:asn1 encoding routines:asn1_item_embed_d2i:unexpected eoc:crypto/asn1/tasn_dec.c:401:Type=X509_ALGOR
00D316E001000000:error:0688010A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:685:Field=prf, Type=PBKDF2PARAM
00D316E001000000:error:0680006E:asn1 encoding routines:ASN1_item_unpack:decode error:crypto/asn1/asn_pack.c:59:
00D316E001000000:error:03000072:digital envelope routines:PKCS5_v2_PBKDF2_keyivgen_ex:decode error:crypto/evp/p5_crpt2.c:206:
openssl ec -in encrypted.key -passin file:secret
Could not find private key of key from encrypted.key
00D316E001000000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:
00D316E001000000:error:0680009F:asn1 encoding routines:asn1_item_embed_d2i:unexpected eoc:crypto/asn1/tasn_dec.c:401:Type=X509_ALGOR
00D316E001000000:error:0688010A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:685:Field=prf, Type=PBKDF2PARAM
00D316E001000000:error:0680006E:asn1 encoding routines:ASN1_item_unpack:decode error:crypto/asn1/asn_pack.c:59:
00D316E001000000:error:03000072:digital envelope routines:PKCS5_v2_PBKDF2_keyivgen_ex:decode error:crypto/evp/p5_crpt2.c:206:
unable to load Key
username-is-already-taken2 commented 6 months ago

I would be grateful if you could share any update on this?, did you manage to decrypt it?

gstos commented 5 months ago

Unfortunately not. I tried to follow the Go calls to understand how the EC keys were generated, but I was unable to identify the issue from there and gave up from using certstrap. If you have any insights on this topic, please share here.