Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Fwd: Problem loading der encoded RSA public key inlined with objcopy.
535 views
Skip to first unread message
Lee Hambley
Apr 11, 2013, 2:56:44 AM4/11/13
to
Typically, having explained myself in a mail, and publicly made an idiot of myself, here's how I verified that I was doing it right:
$ openssl enc -base64 -in ../certificates/tpubkey.der
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0JKYee6bWxE138t/3vOU
....snip....
2wIDAQAB
Taking the base64 code example from "man (3) BIO_f_base64" and embedding it into my program to dump the key:
BIO *bio, *b64;
b64 = BIO_new(BIO_f_base64());
bio = BIO_new_fp(stdout, BIO_NOCLOSE);
bio = BIO_push(b64, bio);
BIO_write(bio, public_key_buffer, public_key_len);
BIO_flush(bio);
BIO_free_all(bio);
The results were the same:
$ ./my-openssl-test
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0JKYee6bWxE138t/3vOU
....snip....
2wIDAQAB
I was able to find out too, that there is the command `openssl errstr` which takes the hex digits listed in my error string:
$ openssl errstr 0D0680A8
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
So it appears my certificate is being incorrectly interpreted as ASN1. Which is the last issue I needed to resolve before I could continue.
Given the error message, it turns out that this is related to the following (from "man (3) d2i_RSAPublicKey"):
d2i_RSAPublicKey() and i2d_RSAPublicKey()decode and encode a PKCS#1 RSAPublicKey structure.d2i_RSA_PUBKEY() and i2d_RSA_PUBKEY()decode and encode anRSA public key using a SubjectPublicKeyInfo (certificate public key) structure.
That appears, at least that I was incorrectly loading the key. I'm still not sure how I might have checked with the openssl CLI tool whether I should have used "d2i_RSA_PUBKEY" or "d2i_RSAPublicKey".
Interestingly, my program now prints:
$ ./my-openssl-testAADg9e+2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$ echo $?0
I assume that the bytes at the given location have been modified, or removed somehow. When I don't call ``, the base64 output matches the "openssl enc -base64" output.
- Lee Hambley
---------- Forwarded message ----------
From: Lee Hambley <lee.h...@gmail.com>
Date: 11 April 2013 08:32
Subject: Problem loading der encoded RSA public key inlined with objcopy.
To: openss...@openssl.org
I'm heading in the direction of trying to generate a symmetrical key based on some random attributes (although this code won't have many sources of entropy in situ) in order to encrypt something ready to be sent up to a web server.
From: Lee Hambley <lee.h...@gmail.com>
Date: 11 April 2013 08:32
Subject: Problem loading der encoded RSA public key inlined with objcopy.
To: openss...@openssl.org
Hi List,
I've been battling the following code for a couple of hours armed with my Network Security With OpenSSL book to little avail.
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <stdio.h>
extern unsigned char _binary____certificates_der_start;
extern unsigned char _binary____certificates_der_size;
int main(int argc, char argv[]) {
RSA *public_key = NULL;
int public_key_len = (int)&_binary____certificates_der_size;
const unsigned char *public_key_buffer = &_binary____certificates_der_start;
public_key = d2i_RSAPublicKey(NULL, &public_key_buffer, public_key_len);
if ( !public_key) {
fprintf(stdout, "%s\n", ERR_error_string(ERR_get_error(), NULL));
return 1;
}
printf("Exiting Cleanly\n");
return 0;
}
I'm fairly sure that what I'm doing to inline the object file, and load it using the extern'ed addresses.
However I'm seeing:
error:0D0680A8:lib(13):func(104):reason(168)
The "dir.o" is being built with: "objcopy --input binary --output elf32-littlearm --binary-architecture arm ../certificates/pubkey.der der.o", which I believe is correct, although naturally the ".o" file is quite large, the `&_binary____certificates_der_size` reports the correct size (294 in my case).
I've poked around Google and the list archives and couldn't come up with anything; but I also couldn't come up with results from many people who had been doing what I am doing (ie. reading from an inlined object blob).
- Lee Hambley
Dave Thompson
Apr 11, 2013, 2:31:00 PM4/11/13
to
>From: owner-ope...@openssl.org On Behalf Of Lee Hambley
>Sent: Thursday, 11 April, 2013 02:33
>I've been battling the following code for a couple of hours
>armed with my Network Security With OpenSSL book to little avail.
>#include <openssl/rsa.h>
>#include <openssl/x509.h>
>#include <stdio.h>
>extern unsigned char _binary____certificates_der_start;
>extern unsigned char _binary____certificates_der_size;
I see below this is apparently a very weird object-file trick.
>int main(int argc, char argv[]) {
> RSA *public_key = NULL;
> int public_key_len = (int)&_binary____certificates_der_size;
> const unsigned char *public_key_buffer =
&_binary____certificates_der_start;
> public_key = d2i_RSAPublicKey(NULL, &public_key_buffer, public_key_len);
> if ( !public_key) {
<snip>
A certificate and a publickey are very different things.
Your tool below seems to have chosen a very inapposite name
apparently by default; it would be nice if you can change that.
>The "dir.o" is being built with: "objcopy --input binary --output
>elf32-littlearm --binary-architecture arm ../certificates/pubkey.der
der.o",
>which I believe is correct, although naturally the ".o" file is quite
large,
>the `&_binary____certificates_der_size` reports the correct size (294 in my
case).
Using a presumably-absolute "address" for a size? Yuck! The classic
way to do this was a _start address and an _end address. Oh well.
How was ../certificates/pubkey.der created and what exactly is in it?
If it was created by openssl commandline genrsa or genpkey or similar
those write "PUBKEY" format (which is actually SubjectPublicKeyInfo
from X.509) not the algorithm-specific format RSAPublicKey (or others).
If that's what you have, use d2i_PUBKEY to get an EVP_PKEY, or
d2i_RSA_PUBKEY to get an RSA (and NULL if the key isn't RSA).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
>Sent: Thursday, 11 April, 2013 02:33
>I've been battling the following code for a couple of hours
>armed with my Network Security With OpenSSL book to little avail.
>#include <openssl/rsa.h>
>#include <openssl/x509.h>
>#include <stdio.h>
>extern unsigned char _binary____certificates_der_start;
>extern unsigned char _binary____certificates_der_size;
>int main(int argc, char argv[]) {
> RSA *public_key = NULL;
> int public_key_len = (int)&_binary____certificates_der_size;
> const unsigned char *public_key_buffer =
&_binary____certificates_der_start;
> public_key = d2i_RSAPublicKey(NULL, &public_key_buffer, public_key_len);
> if ( !public_key) {
A certificate and a publickey are very different things.
Your tool below seems to have chosen a very inapposite name
apparently by default; it would be nice if you can change that.
>The "dir.o" is being built with: "objcopy --input binary --output
>elf32-littlearm --binary-architecture arm ../certificates/pubkey.der
der.o",
>which I believe is correct, although naturally the ".o" file is quite
large,
>the `&_binary____certificates_der_size` reports the correct size (294 in my
case).
way to do this was a _start address and an _end address. Oh well.
How was ../certificates/pubkey.der created and what exactly is in it?
If it was created by openssl commandline genrsa or genpkey or similar
those write "PUBKEY" format (which is actually SubjectPublicKeyInfo
from X.509) not the algorithm-specific format RSAPublicKey (or others).
If that's what you have, use d2i_PUBKEY to get an EVP_PKEY, or
d2i_RSA_PUBKEY to get an RSA (and NULL if the key isn't RSA).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
0 new messages