0

I try to use tcl package pki::sign. The goal is to sign a SOAP message with a X509 certificate, using tclws.

Parsing the public key is OK : 

pki::x509::parse_cert $publickey

However, parsing the private key does not work

pki::pkcs::parse_key $privatekey

It results in the following error : 

"Expected Sequence (0x30), but got 42"

The certificate was provided to me as a .p12 file. I could get the public and private key with openssl with the following commands :

Public key : 

openssl pkcs12 -in cert.p12 -clcerts -nokeys -out cert.pem

Private key : 

openssl pkcs12 -in cert.p12 -nocerts -nodes -out key.pem
jww
  • 97,681
  • 90
  • 411
  • 885
b2vincent
  • 610
  • 7
  • 14
  • 1
    I suspect that's coming out of the asn1 parser (`asn::asnGetSequence` specifically) and that it indicates that there was a `B` (`\u0042`) which was unexpected. I don't know what that means. – Donal Fellows Mar 02 '15 at 14:21
  • Thank you, you are right. It seems that asn::asnGetSequence waits for "0" as starting char and nothing else. The private key I have starts with "MII..". I saw [here](https://github.com/tcltk/tcllib/tree/master/modules/pki) that only DES private key start with a zero. I don't understand... – b2vincent Mar 02 '15 at 18:18
  • There are various ways to encode a private key, for example PKCS#1/RFC 3447 (see https://tools.ietf.org/html/rfc3447#page-44) and a few others, so your key might be in an encoding not recognized by the module. – schlenk Mar 02 '15 at 20:25
  • 1
    The 0x30 is the ASN.1 encoding for a SEQUENCE, 0x42 is a different tag, probably an APPLICATION Tag 0x40 of an Integer. 0x02. This has a little overview of the formats for keys you might see: https://tls.mbed.org/kb/cryptography/asn1-key-structures-in-der-and-pem – schlenk Mar 02 '15 at 20:31
  • At this point, I understand that the certificate format is not supported by pki::pkcs::parse_key. I am now trying to find a solution through openssl. – b2vincent Mar 03 '15 at 16:55
  • Very probable, yes. If you could give a hint what kind of private key you have (e.g. DSA/RSA/ECDSA/etc. one might get a clue.) – schlenk Mar 03 '15 at 18:53
  • Using the "x509" function of openssl, it indicates that Signature Algorithm is sha256WithRSAEncryption, and that Public Key Algorithm is rsaEncryption. – b2vincent Mar 04 '15 at 11:35
  • I did not success in signing a SOAP message with a X509 certificate, using tclws : I did not have enough background xml canonicalization and soap signature, and not enough time to do it. I found a solution with python, using the package pysimplesoap. – b2vincent Apr 20 '15 at 21:16

0 Answers0