Topic: extracting values from an openssl generated public RSA key

I'm trying to follow the examples provided to load a public RSA key. I generated the key as:

openssl genrsa -out my_priv_key.pem 4096
openssl rsa -in my_priv_key.pem -out my_pub_key.pem -pubout

Then converted the PEM files to DER files like this:

openssl rsa -in  my_priv_key.pem  -inform PEM -out  my_priv_key.der -outform DER
openssl rsa -in  my_priv_key.pem -pubout -out my_pub_key.der -outform DER

Parsing the private key works fine and I can successfully extract the public key components from this key to encrypt and decrypt a message (using   rsaPub.SetModulus(n); rsaPub.SetPublicExponent(e)), but when I try to do:

TaoCrypt::RSA_PublicKey rsaPub(public_key_src);
TaoCrypt::PK_Lengths lengths(rsaPub.GetModulus());
printf("Pub key: FixedCiphertextLength= %u\n",lengths.FixedCiphertextLength());

I get the result:
Pub key: FixedCiphertextLength= 0

The failure seems to happen in RSA_Public_Decode::Decode() :

// Decode a BER encoded RSA Public Key
void RSA_Public_Decoder::Decode(RSA_PublicKey& key)
{
    ReadHeader();
    if (source_.GetError().What()) return;

    // public key
    key.SetModulus(GetInteger(Integer().Ref()));  <---- Fails
    key.SetPublicExponent(GetInteger(Integer().Ref()));
}

and more specifically here:

void Integer::Decode(Source& source)
{
    byte b = source.next();
    if (b != INTEGER) {
        source.SetError(INTEGER_E);  <-- exit path
        return;
    }
[..]

What is the proper way to store the public key so that it can be parsed correctly?

Regards,
Kristofer Pettersson

Share

Re: extracting values from an openssl generated public RSA key

Hi Kristofer,

yaSSL was designed to use public keys from certificates (see the example in taocrypt/test/test.cpp for reference).  If you run the "test" application in taocrypt/test with the example certificates, you will notice that FixedCiphertextLength is a non-zero value when using a certificate.

If you want to use OpenSSL format for public keys, then you can use CyaSSL with the --openssl-Extra build option.  Is there a reason why you chose to use yaSSL over CyaSSL?

Regards,
Chris

Re: extracting values from an openssl generated public RSA key

The main reason is that it is bundled with MySQL and I'm limited to what's contained within the next release of MySQL. Are you saying that the only way to import a public RSA key in DER or PEM format is to rewrite the decoder class?

Cheers,
Kristofer

Share

Re: extracting values from an openssl generated public RSA key

Are you saying that the only way to import a public RSA key in DER or PEM format is to rewrite the decoder class?

Yes, in it's current state, yaSSL only supports public keys through certificates (for SSL).  Would you mind if I asked what your goal is?  If this feature is necessary, we can work with you to add it to yaSSL.

Regards,
Chris

Re: extracting values from an openssl generated public RSA key

I need to transfer an encrypted password from the client to the server with the simplest possible handshake. It would be preferable if the solution could stay openssl compatible at the same time. I think fixing the decoder shouldn't be all that much work actually, but I would indeed appreciate some help.

Share

Re: extracting values from an openssl generated public RSA key

Are you trying to implement your own SSL type handshake, only simpler?  If so, the security you think you're getting is almost certianly not as strong as it appears.  In order to ensure proper authentication and encryption SSL is probably the way to go.  I'd recommend using SSL and then transferring the password over the secure channel.

Even if we patched TaoCrypt to support OpenSSL public keys directly (instead of through certificates) it still wouldn't meet your requirement of OpenSSL compatibility since TaoCrypt isn't API compatible with OpenSSL's crypto API.

I take it SSL is too costly?

Share

Re: extracting values from an openssl generated public RSA key

I agree that TLS using certificates are usually a more robust form of authentication. However, it is also very costly. I need a lighter way which only focus on protecting the authentication. I'm not trying to reinvent anything though; just make use of common RSA encryption with manually distributed key pairs.

The API doesn't need to be similar to openssl, and in fact I like C++ style Taocrypt better than the C-hackish openssl. The files and parameter values used need to stay compatible with openssl though (although it isn't strictly necessary).

Share

Re: extracting values from an openssl generated public RSA key

Ok.  We'll plan on adding OpenSSL public keys to the Rsa decoder for the next release which should be in the next month or so.

Share