Hi Viktor On Thu, Aug 29, 2019 at 09:48:31AM -0400, Viktor Dukhovni wrote: > On Thu, Aug 29, 2019 at 06:25:02PM +0530, Mukund Sivaraman wrote: > > A tool such as BIND's dnssec-keygen generates the following formatted > > private keys: > > > > [muks@naina ~]$ cat Kexample.org.+008+10638.private > > Private-key-format: v1.3 > > Algorithm: 8 (RSASHA256) > > Modulus: [...] > > PublicExponent: [...] > > PrivateExponent: [...] > > Prime1: [...] > > Prime2: [...] > > Exponent1: [...] > > Exponent2: [...] > > Coefficient: [...] > > Compare the above with: > > $ openssl genrsa 512 2>/dev/null | openssl rsa -text -noout | egrep -v > ':..:' > RSA Private-Key: (512 bit, 2 primes) > modulus: > publicExponent: 65537 (0x10001) > privateExponent: > prime1: > prime2: > exponent1: > exponent2: > coefficient: > > And it becomes clear that what you're seeing is a sequence of tagged > base64 encodings of the BIGNUM elements of the CRT form of an RSA > private key.
I am initimately familiar with what these fields mean and the code that generates it. The question is not about what the meaning of these fields are. I am asking about where this key format is specified - I want to extend it. > > > Created: [...] > > Publish: 20190829125147 > > Activate: 20190829125147 > > Plus some additional metadata. > > > I have looked around for a specification for this format, but I fail to > > find one. Where is this specified? Has it ever been described in some > > document? > > This looks like an ad-hoc format, specific to dnssec-keygen and > friends. In particular "Publish:" and "Activate:" are not part of > the key per-se and are rather related to the DNSSEC key lifecycle. > > -- > Viktor. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > Mukund -- Loop DNS nameserver: https://akira.org/loop/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop