newt fails to recognize RSA private key

[Andrey Serdtsev <an...@yotadevices.com>]

Hi all,

apache-mynewt-core/boot/bootutil/signed_images.md suggest to use 
'openssl genrsa -out image_sign.pem 2048' for generating RSA keypair. 
When signing with this key, everything is fine:
$ newt create-image my-app 1.0.0.0 image_sign.pem
...
App image succesfully generated: .../my-app.img

Now I look at 
'https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL' 
page and see another command for generating: 'openssl genpkey -algorithm 
RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048'. If I try to 
sign using such a key, everything is sad:
$ newt create-image my-app 1.0.0.0 image_sign.pem
...
Error: Unknown private key format, EC/RSA private key in PEM format only.

As I can judge, methods for generating RSA pairs are identical and 
problem is somewhere in Go lib 'encoding/pem'. Not sure if this is 
really a bug, but clarification from Go guru is required.

Many thanks.

BR,
Andrey

Re: newt fails to recognize RSA private key

[Fabio Utzig <ut...@apache.org>]

On Tue, Jul 25, 2017, at 02:11 PM, Fabio Utzig wrote:
> On Tue, Jul 25, 2017, at 01:29 PM, Andrey Serdtsev wrote:
> > Hi all,
> > 
> > apache-mynewt-core/boot/bootutil/signed_images.md suggest to use 
> > 'openssl genrsa -out image_sign.pem 2048' for generating RSA keypair. 
> > When signing with this key, everything is fine:
> > $ newt create-image my-app 1.0.0.0 image_sign.pem
> > ...
> > App image succesfully generated: .../my-app.img
> > 
> > Now I look at 
> > 'https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL' 
> > page and see another command for generating: 'openssl genpkey -algorithm 
> > RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048'. If I try to 
> > sign using such a key, everything is sad:
> > $ newt create-image my-app 1.0.0.0 image_sign.pem
> > ...
> > Error: Unknown private key format, EC/RSA private key in PEM format only.
> > 
> > As I can judge, methods for generating RSA pairs are identical and 
> > problem is somewhere in Go lib 'encoding/pem'. Not sure if this is 
> > really a bug, but clarification from Go guru is required.
> 
> They are not identical, the first command generates a key in PKCS#1
> format and the second in PKCS#8, which are slightly different formats. I
> never looked at the Go code for reading the PEMs but maybe it doesn't
> support PKCS#8.

Out of curiosity, the code to parse is here:

https://github.com/apache/mynewt-newt/blob/master/newt/image/image.go#L285

And the Go stdlib also supports PKCS#8:

https://golang.org/pkg/crypto/x509/#ParsePKCS8PrivateKey

Shouldn't be that hard to make a patch! (hopefully there are not a lot
of other places to change...)

Fabio Utzig

Re: newt fails to recognize RSA private key

[Fabio Utzig <ut...@apache.org>]

On Tue, Jul 25, 2017, at 01:29 PM, Andrey Serdtsev wrote:
> Hi all,
> 
> apache-mynewt-core/boot/bootutil/signed_images.md suggest to use 
> 'openssl genrsa -out image_sign.pem 2048' for generating RSA keypair. 
> When signing with this key, everything is fine:
> $ newt create-image my-app 1.0.0.0 image_sign.pem
> ...
> App image succesfully generated: .../my-app.img
> 
> Now I look at 
> 'https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL' 
> page and see another command for generating: 'openssl genpkey -algorithm 
> RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048'. If I try to 
> sign using such a key, everything is sad:
> $ newt create-image my-app 1.0.0.0 image_sign.pem
> ...
> Error: Unknown private key format, EC/RSA private key in PEM format only.
> 
> As I can judge, methods for generating RSA pairs are identical and 
> problem is somewhere in Go lib 'encoding/pem'. Not sure if this is 
> really a bug, but clarification from Go guru is required.

They are not identical, the first command generates a key in PKCS#1
format and the second in PKCS#8, which are slightly different formats. I
never looked at the Go code for reading the PEMs but maybe it doesn't
support PKCS#8.

Cheers,
Fabio Utzig