Ssh – How to convert a ssh-keygen public key into a format that openssl PEM_read_bio_RSA_PUBKEY() function will consume

opensshopenssl

I'm having an issue generating a public key that the openssl PEM_read_bio_RSA_PUBKEY() function can consume. I keep getting errors.

Obviously I cannot simply use the ASCII string in the ssh-keygen <>.pub key file as it is in SSH file format or I perhaps SubjectPublicKeyInfo structure.

Here's the key gen code: ssh-keygen -t rsa -b 1024 -C "Test Key"

I found a converter in php on the web which will convert the contents of the public key into a base64 PEM ASCII string format. However the function still doesn't like it.

The Openssl documentation states:

“RSA_PUBKEY() function which process a public key using an EVP_PKEY structure”
“RSA_PUBKEY functions also process an RSA public key using an RSA structure”

How do I get my OpenSSH public key into either format that the OpenSSL function will consume it?

Best Answer

OK!

So I walked into this thinking "Easy, I got this." Turns out there's a whole lot more to it than even I thought.

So the first issue is that (according to the man pages for OpenSSL (man 3 pem)), OpenSSL is expecting the RSA key to be in PKCS#1 format. Clearly this isn't what ssh-keygen is working with. You have two options (from searching around).

If you have OpenSSH v. 5.6 or later (I did not on my laptop), you can run this:

ssh-keygen -f key.pub -e -m pem

The longer method of doing this is to break apart your SSH key into it's various components (the blog entry I found some of this in accuses OpenSSH of being "proprietary", I prefer to call it "unique") and then use an ASN1 library to swap things around.

Fortunately for you, someone wrote the code to do this:

https://gist.github.com/1024558

Related Solutions

RSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference

GnuPG consumes several bytes from /dev/random for each random byte it actually uses. You can easily check that with this command:

start cmd:> strace -e trace=open,read gpg --armor --gen-random 2 16 2>&1 | tail
open("/etc/gcrypt/rngseed", O_RDONLY)   = -1 ENOENT (No such file or directory)
open("/dev/urandom", O_RDONLY)          = 3
read(3, "\\\224F\33p\314j\235\7\200F9\306V\3108", 16) = 16
open("/dev/random", O_RDONLY)           = 4
read(4, "/\311\342\377...265\213I"..., 300) = 128
read(4, "\325\3\2161+1...302@\202"..., 172) = 128
read(4, "\5[\372l\16?\...6iY\363z"..., 44) = 44
open("/home/hl/.gnupg/random_seed", O_WRONLY|O_CREAT, 0600) = 5
cCVg2XuvdjzYiV0RE1uzGQ==
+++ exited with 0 +++

In order to output 16 bytes of high-quality entropy GnuPG reads 300 bytes from /dev/random.

This is explained here: Random-Number Subsystem Architecture

Linux stores a maximum of 4096 bytes (see cat /proc/sys/kernel/random/poolsize) of entropy. If a process needs more than available (see cat /proc/sys/kernel/random/entropy_avail) then the CPU usage becomes more or less irrelevant as the feeding speed of the kernel's entropy pool becomes the relevant factor.

OpenSSL Conversion – How to Convert SSH Public Key from PEM to DER Format?

OpenSSH public key format is different from PEM format. You have to run ssh-keygen to convert it.

ssh-keygen -f ~/.ssh/id_rsa.pub -e -m PEM >pubkey.pem

Then convert it to DER format using openssl rsa.

openssl rsa -RSAPublicKey_in -in pubkey.pem -inform PEM -outform DER -out ~/.ssh/id_rsa.pub.der -RSAPublicKey_out

Note that you also have to specify -RSAPublicKey_in (not -pubin) and -RSAPublicKey_out to keep it to be RSA Public Key (PKCS#1).

Best Answer

Related Solutions

RSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference

OpenSSL Conversion – How to Convert SSH Public Key from PEM to DER Format?

Related Question