1

I am writing a .NET client app that consumes a Java web service and need to sign sent requests (related to this other question).

I have been supplied with a private.key file (and a .X509 certificate) and a Java source example. The certificate looks like the public key of service, and the private.key is what I use to sign requests.

In the Java source, I can see they convert the file to a byte array and pass it into the constructor of the PKCS8EncodedKeySpec class.

A bit of googling suggests this file is a private key hash (though I may be wrong).

Is there any way to use this in .Net or convert it to something .Net can use?

This link mentions converting a public/private key, but I don't have both, or if it would work. Does anyone have more information to work on? such as what this file is exactly?

If I read this in as a byte array and convert it to a string, I get a load of HEX (e.g. AA-BB-06 etc) but I can't convert this to anything useful no matter the encoding I use.

This documentation suggests it is in PKCS #8 standard.

I tried (suggested by @gtrig) the command:

openssl rsa -in pkcs8privatekey.der -inform der -out privatekey.pem

but this gives me the following:

unable to load Private Key
32096:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
32096:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:830:
32096:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=n, Type=RSA
32096:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:99:

I also get similar errors with NET and PEM -inform args.

and:

openssl asn1parse -in private.key

gives me the error: 

"Error: offset too large"

I've just found that if I convert it to a base 64 string

  Dim ba As Byte() = IO.File.ReadAllBytes("C:\private.key")
  Dim toString1 As String = System.Convert.ToBase64String(ba)

which gives me a string which starts MIICdgIBADANB and is 924 characters long.

trying the following command gives me

openssl rsa -in private.key -text -noout

unable to load Private Key
17978:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expec                            ting: ANY PRIVATE KEY

Any further suggestions?

Community
  • 1
  • 1
Mr Shoubs
  • 14,629
  • 17
  • 68
  • 107

3 Answers3

2

It's probably not a "hash" of the private key. It's most likely the private key in PKCS#8 format.

You can use the openssl command line tool to create a PKCS#12 keystore that should then be able to be used to construct an X509Certificate2 object.

First you will likely have to convert your private key from DER to PEM format, which can also be done in openssl:

openssl rsa -in pkcs8privatekey.der -inform der -out privatekey.pem

Then create the PKCS#12 keystore with:

openssl pkcs12 -export -name myalias -in mycert.crt -inkey privatekey.pem -out keystore.p12

Finally, you should be able to import this into X509Certificate2 object:

X509Certificate2 cert = X509Certificate2("C:\Path\keystore.p12", "password");
gtrig
  • 12,550
  • 5
  • 28
  • 36
  • Do I have to used the binary's from http://www.openssl.org/related/binaries.html to do this? – Mr Shoubs Oct 24 '13 at 10:31
  • I copied it to one of our linux boxes and ran the command you suggested, but I get the following error: openssl rsa -in private.key -inform der -out privatekey.pem unable to load Private Key 26201:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306: 26201:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:830: 26201:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:749:Field=n, Type=RSA 26201:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:99: – Mr Shoubs Oct 24 '13 at 10:37
  • I tried the other -imform args (NET and PEM) but this didn't work either. – Mr Shoubs Oct 24 '13 at 10:58
  • Is your private key a binary file or text? – gtrig Oct 24 '13 at 19:05
  • it appears to be Binary – Mr Shoubs Oct 25 '13 at 12:14
  • Does this command give you anything: `openssl asn1parse -in private.key`? Do not paste the results here (because they will give away your private key information), but let me know if it parses OK, and if you see something like "xxxxx SEQUENCE xxxxxx INTEGER xxxxxx INTEGER xxxxx" etc. – gtrig Oct 25 '13 at 17:38
  • It says "Error: offset too large". – Mr Shoubs Oct 28 '13 at 09:21
  • Here is another ASN1 decoder. If you would like, download this utility and see if it can open your file. http://geminisecurity.com/features-downloads/tools/guidumpasn/ – gtrig Oct 28 '13 at 16:30
  • This opens the file, there is a load of HEX etc: 0 630: SEQUENCE { 4 1: INTEGER 0 7 13: SEQUENCE { 9 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 111111 1 1 1) 20 0: NULL : } 22 608: OCTET STRING, encapsulates { 26 604: SEQUENCE { 30 1: INTEGER 0 33 129: INTEGER – Mr Shoubs Oct 28 '13 at 17:53
  • Does it look like this: http://pastebin.com/C1TvaUQ5, except for different hex data? – gtrig Oct 29 '13 at 05:15
  • If it looks like it does in http://pastebin.com/C1TvaUQ5, it IS in PKCS8 format. And if you're getting the error above when trying to convert from DER to PEM, your file may already be in PEM format. Try this command: `openssl rsa -in private.key -text -noout`. – gtrig Oct 29 '13 at 05:58
  • If the above openssl command successfully displays the contents of the private key, then you can just go straight to the 2nd openssl command in my answer. Skip the PEM conversion and just do the `openssl pkcs12 ...` command. – gtrig Oct 29 '13 at 06:05
  • It does looks like that, but when I carry out that command, I get unable to load Private Key: 17978:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY. I've been updating my question along with these comments, please not I also found out something else by converting it to a base64 string. I don't know what that means though. – Mr Shoubs Oct 29 '13 at 09:21
  • If you converted it to a base 64 string, it is then in PEM format. You just need to add the following header:`-----BEGIN PRIVATE KEY-----` and then at the bottom of the base 64 data add this footer `-----END PRIVATE KEY-----`. Then try the openssl pkcs12 command. – gtrig Oct 29 '13 at 16:31
  • It just says "Unable to load private key" I tried this with and without the -in option, as I think the x509 certificate is the servers public key and not my public key. – Mr Shoubs Oct 29 '13 at 17:01
  • I pasted the contents of my private key PEM file here: http://pastebin.com/wvWTqzje. This corresponds to the same key I pasted above for the ASN1 encoding. If you can get your key to look like this PEM format, it should work in the openssl pkcs12 command above. – gtrig Oct 30 '13 at 02:07
  • I made it look the same by adding in the new lines in vi. It looks the same - same number of characters and has the header and footer. But it still says "unable to load private key". any other suggestions? – Mr Shoubs Oct 30 '13 at 11:52
  • 1
    I have one other thought. I was able to duplicate your error on an older version of openssl. What version of openssl are you using? However, I was still able to work around the issue using the older version of openssl. Try this command: `openssl pkcs8 -inform der -nocrypt -in private.key -out privatekey.pem`. If that works, then try the openssl pkcs12 command in the answer. – gtrig Oct 31 '13 at 04:22
  • getting closer :) - that command works (on the original file they supplied), but I don't have an in certificate, if I don't supply one, it looks like it is processing but isn't doing anything, if I add the x509 cert they gave me, it says "No certificate matches private key". How can I change the openssl pkcs12 command to achieve what I want? – Mr Shoubs Oct 31 '13 at 09:52
0

you can use the key tool UI. You need to know the type of the certificate they gave you , typically either a JKS key of PEM.

Yaron Naveh
  • 23,560
  • 32
  • 103
  • 158
  • Unfortunately, the tool wouldn't let me import the certificate. I wasn't provided with a chain or keystore file either. Also, I don't know the type, all I know is the code they use the PKCS8EncodedKeySpec in the Java source they provided. – Mr Shoubs Oct 28 '13 at 09:49
  • maybe try making sense of this certificate via equivelnt c# class, see second answer here http://stackoverflow.com/questions/2274836/sign-data-with-md5withrsa-from-pem-pkcs8-keyfile-in-c-sharp – Yaron Naveh Oct 28 '13 at 16:57
0

The following commands turn this into a format usable in windows:

Convert the private key from pkcs8/DER to a PEM file format

openssl pkcs8 -nocrypt -in dealerPrivate.key -inform der -outform pem -out private.pem

Convert the certificate from x509/DER to a PEM file format

openssl x509 -inform der -in dealerCertificate.x509 -out public.pem

Merge the two files into a pkcs12 file – you will be prompted for password to protect the p12 with

openssl pkcs12 -export -inkey private.pem -in public.pem -out mycert.p12

pkcs12 can be used directly in windows.

Mr Shoubs
  • 14,629
  • 17
  • 68
  • 107