public key format
Bruno Randolf
Hash: SHA1
hello!
i would like to use tinc with public keys which are extracted from x509
certificates. the only public key format i was able to extract from
certificates with openssl commands looked like this:
- -----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwXDZs8EBb/JyZ9daB3Zk9WHxD
ULpek5NANbuHikHe8drH+QdE6DZ8qo4IXroDlT53yR7y39hmB8c1a+vryqORe2dl
gK6WAlyIopjS7MY/4+gEgeXnkKjNWf9DavY/XySWwxDBEbX8DUzsBoJFeAsvu6tl
CeINpU3Fvv/7Vfcy5wIDAQAB
- -----END PUBLIC KEY-----
i think this is the X.509 subjectPublicKeyInfo format.
the public keys that tinc generates look like that
- -----BEGIN RSA PUBLIC KEY-----
MIGJAoGBALBcNmzwQFv8nJn11oHdmT1YfENQul6Tk0A1u4eKQd7x2sf5B0ToNnyq
jgheugOVPnfJHvLf2GYHxzVr6+vKo5F7Z2WArpYCXIiimNLsxj/j6ASB5eeQqM1Z
/0Nq9j9fJJbDEMERtfwNTOwGgkV4Cy+7q2UJ4g2lTcW+//tV9zLnAgMBAAE=
- -----END RSA PUBLIC KEY-----
which may be a PKCS #1 RSAPublicKey (?)
unfortunately tinc crashes with a segementation fault when i try to use the
first format:
Trying to connect to mtx1 (172.16.1.1 port 655)
Connected to mtx1 (172.16.1.1 port 655)
Sending ID to mtx1 (172.16.1.1 port 655): 0 mtx58 17
Sending 11 bytes of metadata to mtx1 (172.16.1.1 port 6
Got ID from mtx1 (172.16.1.1 port 655): 0 mtx1 17
Sending METAKEY to mtx1 (172.16.1.1 port 655): 1 94 64
0 0 57C9352011BC165C8DFCCB0E9FCBC795C0B1E21014694F4E37B9BFF8BBAC210CE6D4F9293A
02985F4AF49F7181F8E793E39CAE8406D8FDC09610A301FC8337C426DC56BDF0B16D803A1F3337
A3C02538301DB424310AE84C034389768DDC164FDBD3E8A2A9DBFC6E30872AE4512EAD01D30352
08EDC185F684BE0979ED0FAACC
Sending 269 bytes of metadata to mtx1 (172.16.1.1 port 655)
Got METAKEY from mtx1 (172.16.1.1 port 655): 1 94 64 00940CFADF1B814D823495F0
1D8F4C5319953417CA04771401B07EC683E6802AD3C29B024AB14AB24E783EA9BD3DF125A71347
C258DB235BE0152D9040AF039403DDB1ED76A908C5C19893A180723AE8623B1716DA9B7DCB280D
443FB2B787A2C2647249D43C07ACE0A7F4FA0288DEE53EABFE9360A008E03416084F2AA4E38D21
Got fatal signal 11 (Segmentation fault)
Checkpoint trace: protocol_auth.c:215 <- protocol.c:135 <- meta.c:103 <-
net.c:266 <- net.c:119 <- event.c:93 <- meta.c:44 <- protocol.c:74 <-
protocol_auth.c:142 <- protocol_auth.c:131 <- conf.c:146 <- conf.c:106 <-
conf.c:146 <- conf.c:106 <- conf.c:183 <- conf.c:106...
dows anyone know a way to convert the first key format to one tinc
understands? or is there a way tinc can handle the subjectPublicKeyInfo
format? looking at the source it seems like it's supposed to be able to read
both formats.
thanks for your help,
bruno
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFALQJwfg2jtUL97G4RAj5sAJoCMNEs7zeKy1JU4y6AoeXQuWrIqQCgq4IR
qIWYg0dMvnBYSNLzcGDmneg=
=QFAJ
-----END PGP SIGNATURE-----
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/
Guus Sliepen
> i would like to use tinc with public keys which are extracted from x509
> certificates. the only public key format i was able to extract from
certificates with openssl commands looked like this:
>
> - -----BEGIN PUBLIC KEY-----
[...]
> i think this is the X.509 subjectPublicKeyInfo format.
> the public keys that tinc generates look like that
>
> - -----BEGIN RSA PUBLIC KEY-----
[...]
> which may be a PKCS #1 RSAPublicKey (?)
> unfortunately tinc crashes with a segementation fault when i try to use the
> first format:
[...]
> dows anyone know a way to convert the first key format to one tinc
> understands? or is there a way tinc can handle the subjectPublicKeyInfo
> format? looking at the source it seems like it's supposed to be able to read
> both formats.
tinc tries both PEM_read_RSAPublicKey() and PEM_read_RSA_PUBKEY(), which
treat keys a bit different although I don't have a clue what the
difference is. But apparently it didn't work for your key. I suggest you
ask the OpenSSL developers.
Alternatively, you could try this version of tinc using gnutls and
libgcrypt:
http://sliepen.eu.org/~guus/tinc-1.0-gnutls.tar.gz
It uses TLS for the meta connections, and accepts PEM encoded X.509
certificates directly. Note that this version is not supported, not
tested, and currently only prints a warning if a certificate is not
signed by a trusted party. You'll have to hack in the source code if you
want it to work properly.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <gu...@sliepen.eu.org>
Bruno Randolf
Hash: SHA1
hello!
i think i found the reason for this bug and a solution :)
the probem is in net_setup.c function setup_myself(): first the private key is
read, and then if(!read_rsa_public_key(myself->connection)) tries to read the
public key from the config file. in read_rsa_public_key()
PEM_read_RSAPublicKey() will return NULL because it can't read the
subjectPublicKeyInfo format. this sets the RSA*, which contained the private
key to NULL. afterwards the public key is read with PEM_read_RSA_PUBKEY(),
but the private key is lost.
this could obviously be fixed in read_rsa_public_key(), but reading the public
key for "myself" is not necessary anyways, since it's included in the private
key anyways - so i just commented out:
//br1: not necessary because private key already contains everything
// if(!read_rsa_public_key(myself->connection))
// return false;
in net_setup.c (line 256, 257) and everything works fine.
greetings,
bruno
- --
4G Systeme GmbH
Am Sandtorkai 71
20457 Hamburg
fon: +49 (0)40 / 48 40 33 28
fax: +49 (0)40 / 48 40 33 30
mail: bruno....@4g-systems.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAMiwGfg2jtUL97G4RAny5AKCGyYpLXIhvOJNmtVLDsmvMOs1GWQCeKClC
zgIbRTnQtccSbrPW4gtOtjQ=
=pBaI