On Tue, Jul 25, 2017, at 02:11 PM, Fabio Utzig wrote: > On Tue, Jul 25, 2017, at 01:29 PM, Andrey Serdtsev wrote: > > Hi all, > > > > apache-mynewt-core/boot/bootutil/signed_images.md suggest to use > > 'openssl genrsa -out image_sign.pem 2048' for generating RSA keypair. > > When signing with this key, everything is fine: > > $ newt create-image my-app 1.0.0.0 image_sign.pem > > ... > > App image succesfully generated: .../my-app.img > > > > Now I look at > > 'https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL' > > > > page and see another command for generating: 'openssl genpkey -algorithm > > RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048'. If I try to > > sign using such a key, everything is sad: > > $ newt create-image my-app 1.0.0.0 image_sign.pem > > ... > > Error: Unknown private key format, EC/RSA private key in PEM format only. > > > > As I can judge, methods for generating RSA pairs are identical and > > problem is somewhere in Go lib 'encoding/pem'. Not sure if this is > > really a bug, but clarification from Go guru is required. > > They are not identical, the first command generates a key in PKCS#1 > format and the second in PKCS#8, which are slightly different formats. I > never looked at the Go code for reading the PEMs but maybe it doesn't > support PKCS#8.
Out of curiosity, the code to parse is here: https://github.com/apache/mynewt-newt/blob/master/newt/image/image.go#L285 And the Go stdlib also supports PKCS#8: https://golang.org/pkg/crypto/x509/#ParsePKCS8PrivateKey Shouldn't be that hard to make a patch! (hopefully there are not a lot of other places to change...) Fabio Utzig