You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mynewt.apache.org by Andrey Serdtsev <an...@yotadevices.com> on 2017/07/25 16:29:12 UTC
newt fails to recognize RSA private key
Hi all,
apache-mynewt-core/boot/bootutil/signed_images.md suggest to use
'openssl genrsa -out image_sign.pem 2048' for generating RSA keypair.
When signing with this key, everything is fine:
$ newt create-image my-app 1.0.0.0 image_sign.pem
...
App image succesfully generated: .../my-app.img
Now I look at
'https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL'
page and see another command for generating: 'openssl genpkey -algorithm
RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048'. If I try to
sign using such a key, everything is sad:
$ newt create-image my-app 1.0.0.0 image_sign.pem
...
Error: Unknown private key format, EC/RSA private key in PEM format only.
As I can judge, methods for generating RSA pairs are identical and
problem is somewhere in Go lib 'encoding/pem'. Not sure if this is
really a bug, but clarification from Go guru is required.
Many thanks.
BR,
Andrey
Re: newt fails to recognize RSA private key
Posted by Fabio Utzig <ut...@apache.org>.
On Tue, Jul 25, 2017, at 02:11 PM, Fabio Utzig wrote:
> On Tue, Jul 25, 2017, at 01:29 PM, Andrey Serdtsev wrote:
> > Hi all,
> >
> > apache-mynewt-core/boot/bootutil/signed_images.md suggest to use
> > 'openssl genrsa -out image_sign.pem 2048' for generating RSA keypair.
> > When signing with this key, everything is fine:
> > $ newt create-image my-app 1.0.0.0 image_sign.pem
> > ...
> > App image succesfully generated: .../my-app.img
> >
> > Now I look at
> > 'https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL'
> > page and see another command for generating: 'openssl genpkey -algorithm
> > RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048'. If I try to
> > sign using such a key, everything is sad:
> > $ newt create-image my-app 1.0.0.0 image_sign.pem
> > ...
> > Error: Unknown private key format, EC/RSA private key in PEM format only.
> >
> > As I can judge, methods for generating RSA pairs are identical and
> > problem is somewhere in Go lib 'encoding/pem'. Not sure if this is
> > really a bug, but clarification from Go guru is required.
>
> They are not identical, the first command generates a key in PKCS#1
> format and the second in PKCS#8, which are slightly different formats. I
> never looked at the Go code for reading the PEMs but maybe it doesn't
> support PKCS#8.
Out of curiosity, the code to parse is here:
https://github.com/apache/mynewt-newt/blob/master/newt/image/image.go#L285
And the Go stdlib also supports PKCS#8:
https://golang.org/pkg/crypto/x509/#ParsePKCS8PrivateKey
Shouldn't be that hard to make a patch! (hopefully there are not a lot
of other places to change...)
Fabio Utzig
Re: newt fails to recognize RSA private key
Posted by Fabio Utzig <ut...@apache.org>.
On Tue, Jul 25, 2017, at 01:29 PM, Andrey Serdtsev wrote:
> Hi all,
>
> apache-mynewt-core/boot/bootutil/signed_images.md suggest to use
> 'openssl genrsa -out image_sign.pem 2048' for generating RSA keypair.
> When signing with this key, everything is fine:
> $ newt create-image my-app 1.0.0.0 image_sign.pem
> ...
> App image succesfully generated: .../my-app.img
>
> Now I look at
> 'https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL'
> page and see another command for generating: 'openssl genpkey -algorithm
> RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048'. If I try to
> sign using such a key, everything is sad:
> $ newt create-image my-app 1.0.0.0 image_sign.pem
> ...
> Error: Unknown private key format, EC/RSA private key in PEM format only.
>
> As I can judge, methods for generating RSA pairs are identical and
> problem is somewhere in Go lib 'encoding/pem'. Not sure if this is
> really a bug, but clarification from Go guru is required.
They are not identical, the first command generates a key in PKCS#1
format and the second in PKCS#8, which are slightly different formats. I
never looked at the Go code for reading the PEMs but maybe it doesn't
support PKCS#8.
Cheers,
Fabio Utzig