On Tue, Jul 25, 2017, at 01:29 PM, Andrey Serdtsev wrote: > Hi all, > > apache-mynewt-core/boot/bootutil/signed_images.md suggest to use > 'openssl genrsa -out image_sign.pem 2048' for generating RSA keypair. > When signing with this key, everything is fine: > $ newt create-image my-app 1.0.0.0 image_sign.pem > ... > App image succesfully generated: .../my-app.img > > Now I look at > 'https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL' > page and see another command for generating: 'openssl genpkey -algorithm > RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048'. If I try to > sign using such a key, everything is sad: > $ newt create-image my-app 1.0.0.0 image_sign.pem > ... > Error: Unknown private key format, EC/RSA private key in PEM format only. > > As I can judge, methods for generating RSA pairs are identical and > problem is somewhere in Go lib 'encoding/pem'. Not sure if this is > really a bug, but clarification from Go guru is required.
They are not identical, the first command generates a key in PKCS#1 format and the second in PKCS#8, which are slightly different formats. I never looked at the Go code for reading the PEMs but maybe it doesn't support PKCS#8. Cheers, Fabio Utzig