On Thu, Aug 29, 2019 at 06:25:02PM +0530, Mukund Sivaraman wrote:
> A tool such as BIND's dnssec-keygen generates the following formatted
> private keys:
>
> [muks@naina ~]$ cat Kexample.org.+008+10638.private
> Private-key-format: v1.3
> Algorithm: 8 (RSASHA256)
> Modulus: [...]
> PublicExponent: [...]
> PrivateExponent: [...]
> Prime1: [...]
> Prime2: [...]
> Exponent1: [...]
> Exponent2: [...]
> Coefficient: [...]
Compare the above with:
$ openssl genrsa 512 2>/dev/null | openssl rsa -text -noout | egrep -v
':..:'
RSA Private-Key: (512 bit, 2 primes)
modulus:
publicExponent: 65537 (0x10001)
privateExponent:
prime1:
prime2:
exponent1:
exponent2:
coefficient:
And it becomes clear that what you're seeing is a sequence of tagged
base64 encodings of the BIGNUM elements of the CRT form of an RSA
private key.
> Created: [...]
> Publish: 20190829125147
> Activate: 20190829125147
Plus some additional metadata.
> I have looked around for a specification for this format, but I fail to
> find one. Where is this specified? Has it ever been described in some
> document?
This looks like an ad-hoc format, specific to dnssec-keygen and
friends. In particular "Publish:" and "Activate:" are not part of
the key per-se and are rather related to the DNSSEC key lifecycle.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
