PKCs8 generated using go has errors when doing a openssl check
347 views
Skip to first unread message
rajesh nataraja
Oct 3, 2019, 8:14:15 PM10/3/19
to golang-nuts
Hi All,
I have the following piece of code to generate a private key in PKCS8 form and save it in a file. It does generate a file, but when I try to check using the openssl command
openssl rsa -in rsapk.key -check
I get the following errors
140092967139232:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1199:
140092967139232:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:767:
140092967139232:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:699:Field=n, Type=RSA
140092967139232:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:121:
Anyone knows what is wrong with my method?
package main
import (
"crypto/x509"
"crypto/rsa"
"encoding/pem"
"io/ioutil"
"crypto/rand"
"encoding/asn1"
)
type privateKeyInfo struct {
Version int
PrivateKeyAlgorithm []asn1.ObjectIdentifier
PrivateKey []byte
}
func NewPKCS8PrivateKey() {
var pkey privateKeyInfo
var bKey []byte
oidPublicKeyRSA := asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1}
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return
}
pkey.Version = 0
pkey.PrivateKeyAlgorithm = make([]asn1.ObjectIdentifier, 1)
pkey.PrivateKeyAlgorithm[0] = oidPublicKeyRSA
pkey.PrivateKey = x509.MarshalPKCS1PrivateKey(key)
bKey , _ = asn1.Marshal(pkey)
block := pem.Block{Type: "RSA PRIVATE KEY", Bytes: bKey}
ioutil.WriteFile("./rsapk.key", pem.EncodeToMemory(&block), 0600)
}
helloPiers
Oct 4, 2019, 12:03:54 PM10/4/19
to golang-nuts
For PKCS8 (rather than PKCS1), use PEM type "PRIVATE KEY" (rather than "RSA PRIVATE KEY").
You may be constructing the ASN1 by hand deliberately, but just in case you didn't see it, there's also a standard library function x509.MarshalPKCS8PrivateKey() https://godoc.org/crypto/x509#MarshalPKCS8PrivateKey
This can take the output of rsa.GenerateKey() directly, for example like: https://play.golang.org/p/UzWACWh2TCo (key size reduced so it runs in the playground without timing out).
rajesh nataraja
Oct 4, 2019, 12:39:52 PM10/4/19
to golang-nuts
Hello Piers,
I have tried your playground snippet and the snippet I gave here. Both dont work, what I meant is saving the Marshalled key into a file and then using that to be processed by other applications (java, python, openssl command).
This is with go 1.11.5, do you think there is some compatibility issue with go package here?
Thanks
Rajesh
rajesh nataraja
Oct 4, 2019, 4:01:06 PM10/4/19
to golang-nuts
Sorry, I speed read your email, but you were right Piers. "PRIVATE KEY" as header makes the difference.
Rajesh.
Alex Simpson
Feb 14, 2024, 5:45:10 PMFeb 14
to golang-nuts
This answer helped me out when I was seeing openssl throw the following error
unable to load client certificate private key file
281473314844384:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
281473314844384:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509_ALGOR
281473314844384:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
281473314844384:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:
Reply all
Reply to author
Forward
0 new messages