Re: how to extract signature from public key using openssl?

2007-05-03 Thread Janet N 

Hi Kyle,

Thanks for the prompt response.

But I think my problem is my project doesn't want to produce the public key
from openssl rsa command, because we need to get the public key in the rsa
PEM format at the time when we issued the certificate and upload it to our
production database.  And the CA doesn't have a copy of the user private key
to generate this openssl rsa public key.  So we need somehow to be able to
get the rsa public key from the user certificate.

Have any ideas?

The command "openssl rsa -pubin -in rsa.public -noout -text" will only work
if I generte the rsa public key using by private key.

Thanks,
Janet



On 5/3/07, Kyle Hamilton <[EMAIL PROTECTED]> wrote:


My apologies:

$ openssl rsa -pubin -in rsa.public -noout -text

-Kyle H

On 5/3/07, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
> The CA doesn't generate the public key in your certificate.  You
> generate it, and you send it to the CA to be bound to your identity --
> the CA uses its private key to sign the certificate, and the verifier
> already has the CA's public key to verify with.
>
> Without the public key in your certificate matching the private key in
> your private key file, you cannot prove that you have the correct
> private key to the key in the certificate.
>
> What this means is that the public key output from your openssl rsa
> command is the same data that you would get if you extracted the
> public key from the certificate.  You don't need to extract it from
> the certificate.
>
> Use:
>
> $ openssl rsa -in rsa.public -noout -text
>
> to verify that it is the same.
>
> -Kyle H
>
> On 5/3/07, Janet N <[EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > I have a certificate in pem format issued to me by a CA, and a private
key
> >  which I generated.  Since I need to do domain key signing (dkim), I
was
> > asked to
> >  use the followng openssl command to generate the public key:
> >
> > $ openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
> >
> > Since I've already gotten a public key from the CA is there anyway
that I
> > can extract the
> > info in my public key to produce the same result as the above openssl
> > command?
> >
> > The following is what I need to get out from my public key (openssl
x509 -in
> > public.key -nnout), for ex:
> > Modulus (1024 bit):
> >
> > 00:a0:f3:2a:3a:ac:38:6c:36:2c:14:7d:54:77:ec:
> >
> > 78:05:e1:b5:aa:a0:6d:77:35:df:57:2d:3f:99:d1:
> >
> > 52:f3:0a:45:89:64:e7:73:18:d4:27:9e:6e:ee:8e:
> >
> > 84:3c:81:bc:5e:0e:f2:28:f5:11:b9:23:77:99:b5:
> >
> > e0:70:0f:dd:4d:7f:a3:ff:13:d9:6f:25:00:cb:d9:
> >
> > 09:f3:e0:45:c7:fc:25:56:f4:37:84:7e:f6:35:50:
> >
> > 93:7d:91:ce:aa:e8:a9:18:10:f5:ac:b2:f5:6f:94:
> >
> > 33:a9:da:c9:5b:10:a6:42:26:d6:8f:bd:5b:86:08:
> > 0a:9f:6a:9b:3c:27:41:63:39
> > Exponent: 65537 (0x10001)
> >
> >
> > Thanks any help is much appreciated.
> >
> >
>
>
> --
>
> -Kyle H
>


--

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: how to extract signature from public key using openssl?

2007-05-03 Thread David Schwartz 



  Hi Kyle,

  Thanks for the prompt response.

  But I think my problem is my project doesn't want to produce the public
key from openssl rsa command, because we need to get the public key in the
rsa PEM format at the time when we issued the certificate and upload it to
our production database.  And the CA doesn't have a copy of the user private
key to generate this openssl rsa public key.  So we need somehow to be able
to get the rsa public key from the user certificate.

  Have any ideas?

  The command "openssl rsa -pubin -in rsa.public -noout -text" will only
work if I generte the rsa public key using by private key.

  Thanks,
  Janet


  I think you want:
  openssl x509 -outform pem -inform  -pubkey
  This will output the public key in PEM format given the certificate as
input.

  If you'd prefer to process the certificate request, the 'req' command also
has a '-pubkey' option.

  DS

Re: how to extract signature from public key using openssl?

2007-05-03 Thread Janet N 

Hi David,

I've tried the following command, but it failed to load cert:

$ openssl x509 -outform PEM -inform usercert.pem -pubkey
bad input format specified for Certificate
unable to load certificate

Thanks,
Janet


On 5/3/07, David Schwartz <[EMAIL PROTECTED]> wrote:






Hi Kyle,

Thanks for the prompt response.

But I think my problem is my project doesn't want to produce the public
key from openssl rsa command, because we need to get the public key in the
rsa PEM format at the time when we issued the certificate and upload it to
our production database.  And the CA doesn't have a copy of the user private
key to generate this openssl rsa public key.  So we need somehow to be able
to get the rsa public key from the user certificate.

Have any ideas?

The command "openssl rsa -pubin -in rsa.public -noout -text" will only
work if I generte the rsa public key using by private key.

Thanks,
Janet


I think you want:
openssl x509 -outform pem -inform  -pubkey
This will output the public key in PEM format given the certificate as
input.

If you'd prefer to process the certificate request, the 'req' command also
has a '-pubkey' option.

DS

RE: how to extract signature from public key using openssl?

2007-05-03 Thread David Schwartz 


  Hi David,

  I've tried the following command, but it failed to load cert:

  $ openssl x509 -outform PEM -inform usercert.pem -pubkey
  bad input format specified for Certificate
  unable to load certificate 

  Thanks,
  Janet
   
  You didn't specify the input format. Try:
  openssl x509 -outform pem -inform pem -pubkey < usercert.pem

  DS

Re: how to extract signature from public key using openssl?

2007-05-03 Thread Kyle Hamilton 

On 5/3/07, Janet N <[EMAIL PROTECTED]> wrote:

Hi Kyle,

Thanks for the prompt response.

But I think my problem is my project doesn't want to produce the public key
from openssl rsa command, because we need to get the public key in the rsa
PEM format at the time when we issued the certificate and upload it to our
production database.


Why do you need to get the public key at the time the certificate is
issued?  You already have it.
You don't have, in the words of your original email, "a public key
from the CA", you have "the public key returned to you with a
signature from the CA after you sent it to the CA".

The CA can extract the public key from the certificate request.
The certificate contains the public key.
But you already have the public key, since you sent the certificate
request in the first place, and you have the private key that the
public key was generated with.


 And the CA doesn't have a copy of the user private key
to generate this openssl rsa public key.


Right, but the RSA public key is part of the certificate signing
request.  The only way it can be there is for you to have it in the
first place.


 So we need somehow to be able to
get the rsa public key from the user certificate.


This does not follow, since without the private key, the user
certificate cannot be used for authentication anyway, and the public
key is similarly useless.

But, you could try:

$ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr
$ openssl req -in file.csr -pubkey -noout

(the '-noout' can be replaced with '-outform pem -out publickey.pem'
if you need it to go to a file.)

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to extract signature from public key using openssl?

2007-05-03 Thread Dmitrij Mironov 

Hi Janet,

For that moment I doesn't have access to openssl to test it, but try 
this one:


$ openssl rsa -in certificate.pem -pubout -noout -text

Unfortunately, -pubout command can't write output to a file (i.e. with 
-out).



Regards,

Dmitrij


Janet N wrote:

Hi Kyle,

Thanks for the prompt response.

But I think my problem is my project doesn't want to produce the 
public key from openssl rsa command, because we need to get the public 
key in the rsa PEM format at the time when we issued the certificate 
and upload it to our production database.  And the CA doesn't have a 
copy of the user private key to generate this openssl rsa public key.  
So we need somehow to be able to get the rsa public key from the user 
certificate.


Have any ideas?

The command "openssl rsa -pubin -in rsa.public -noout -text" will only 
work if I generte the rsa public key using by private key.


Thanks,
Janet



On 5/3/07, *Kyle Hamilton* <[EMAIL PROTECTED] 
> wrote:


My apologies:

$ openssl rsa -pubin -in rsa.public -noout -text

-Kyle H

On 5/3/07, Kyle Hamilton <[EMAIL PROTECTED]
> wrote:
> The CA doesn't generate the public key in your certificate.  You
> generate it, and you send it to the CA to be bound to your
identity --
> the CA uses its private key to sign the certificate, and the
verifier
> already has the CA's public key to verify with.
>
> Without the public key in your certificate matching the private
key in
> your private key file, you cannot prove that you have the correct
> private key to the key in the certificate.
>
> What this means is that the public key output from your openssl rsa
> command is the same data that you would get if you extracted the
> public key from the certificate.  You don't need to extract it from
> the certificate.
>
> Use:
>
> $ openssl rsa -in rsa.public -noout -text
>
> to verify that it is the same.
>
> -Kyle H
>
> On 5/3/07, Janet N <[EMAIL PROTECTED]
> wrote:
> > Hi,
> >
> > I have a certificate in pem format issued to me by a CA, and a
private key
> >  which I generated.  Since I need to do domain key signing
(dkim), I was
> > asked to
> >  use the followng openssl command to generate the public key:
> >
> > $ openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
> >
> > Since I've already gotten a public key from the CA is there
anyway that I
> > can extract the
> > info in my public key to produce the same result as the above
openssl
> > command?
> >
> > The following is what I need to get out from my public key
(openssl x509 -in
> > public.key -nnout), for ex:
> > Modulus (1024 bit):
> >
> > 00:a0:f3:2a:3a:ac:38:6c:36:2c:14:7d:54:77:ec:
> >
> > 78:05:e1:b5:aa:a0:6d:77:35:df:57:2d:3f:99:d1:
> >
> > 52:f3:0a:45:89:64:e7:73:18:d4:27:9e:6e:ee:8e:
> >
> > 84:3c:81:bc:5e:0e:f2:28:f5:11:b9:23:77:99:b5:
> >
> > e0:70:0f:dd:4d:7f:a3:ff:13:d9:6f:25:00:cb:d9:
> >
> > 09:f3:e0:45:c7:fc:25:56:f4:37:84:7e:f6:35:50:
> >
> > 93:7d:91:ce:aa:e8:a9:18:10:f5:ac:b2:f5:6f:94:
> >
> > 33:a9:da:c9:5b:10:a6:42:26:d6:8f:bd:5b:86:08:
> > 0a:9f:6a:9b:3c:27:41:63:39
> > Exponent: 65537 (0x10001)
> >
> >
> > Thanks any help is much appreciated.
> >
> >
>
>
> --
>
> -Kyle H
>


--

-Kyle H
__

OpenSSL Project http://www.openssl.org
User Support Mailing
Listopenssl-users@openssl.org

Automated List Manager  
[EMAIL PROTECTED] 





__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to extract signature from public key using openssl?

2007-05-04 Thread Michael Sierchio 

Janet N wrote:

...   So we need
somehow to be able to get the rsa public key from the user certificate.


Assuming a DER X.509 cert, you just need to parse out the public key:

cert->SubjectPublicKeyInfo->SubjectPublicKey

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to extract signature from public key using openssl?

2007-05-04 Thread Janet N 

Hello,



Why do you need to get the public key at the time the certificate is
issued?  You already have it.



We are using DKIM (domain key signing), it uses not the x509 public key, but
the public key of the private key.  The idea is to extract the rsa public
key at the time the CA issue the cert and load this rsa public key to a db.
This program is run against the CA.

The CA can extract the public key from the certificate request.


I see, so I can't extract the public key
-BEGIN PUBLIC KEY-
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq
oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/
E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP
vVuGCAqfaps8J0FjOQIDAQAB
-END PUBLIC KEY-

from the already issued certificate?

The certificate contains the public key.

But you already have the public key, since you sent the certificate
request in the first place, and you have the private key that the
public key was generated with.



The user won't be the one extracting the public key but the program running
against the CA server.



But, you could try:

$ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr
$ openssl req -in file.csr -pubkey -noout

(the '-noout' can be replaced with '-outform pem -out publickey.pem'
if you need it to go to a file.)



hmm, I'm running openca so I'm not sure where the certificate request are
located at.  Where are they located at  in openssl?

thanks,
Janet

-Kyle H

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to extract signature from public key using openssl?

2007-05-04 Thread Janet N 


But, you could try:

$ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr
$ openssl req -in file.csr -pubkey -noout



# openssl x509 -inform PEM -in usercert.pem -x509toreq -out file.csr
Getting request Private Key
no request key file specified


When I checked the file.csr file it is empty.  I tried to throw the -key in
the command did not work :)

thanks,
Janet

(the '-noout' can be replaced with '-outform pem -out publickey.pem'

if you need it to go to a file.)

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to extract signature from public key using openssl?

2007-05-04 Thread Kyle Hamilton 

The private key is paired with the public key, regardless of where
it's retrieved or what format it's in.  This means that the x509
public key is the same public key as you would retrieve from the
openssl rsa command.

Regardless:

$ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr

This converts the already-issued certificate (contained in file.pem)
into a certificate request, putting the request into 'file.csr'.  I
don't know if it's possible to extract it using the command-line tools
directly from the certificate, but I do know that it can be extracted
from a CSR generated from the certificate.

$ openssl req -in file.csr -pubkey -noout

This takes the 'file.csr' certificate request, extracts the public key
from it, and prints it.

$ openssl req -in file.csr -pubkey -outform PEM -out pubkey.pem

This takes the 'file.csr' certificate request, extracts the public key
from it, and writes it to pubkey.pem.

I am not personally familiar with OpenCA, so I don't know where the
CSRs are stored (if indeed they're stored at all).  OpenSSL stores the
requests in files.

What tool is it you're using for DKIM?  Perhaps if I can find out what
that tool expects, I can find a way to make it possible.
(Technically, if you're using OpenCA, you're using OpenLDAP to store
all of the issued certificates -- and those certificates contain the
keys necessary.)

I am sorry that I didn't understand that you're running this on the
server, disseminating information for verifiers.  This explains a lot.
:)

-Kyle H

On 5/4/07, Janet N <[EMAIL PROTECTED]> wrote:


Hello,

>
> Why do you need to get the public key at the time the certificate is
> issued?  You already have it.

We are using DKIM (domain key signing), it uses not the x509 public key, but
the public key of the private key.  The idea is to extract the rsa public
key at the time the CA issue the cert and load this rsa public key to a db.
This program is run against the CA.

> The CA can extract the public key from the certificate request.

I see, so I can't extract the public key
-BEGIN PUBLIC KEY-
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq
oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/
E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP
vVuGCAqfaps8J0FjOQIDAQAB
-END PUBLIC KEY-

from the already issued certificate?

> The certificate contains the public key.
> But you already have the public key, since you sent the certificate
> request in the first place, and you have the private key that the
> public key was generated with.


The user won't be the one extracting the public key but the program running
against the CA server.

>
> But, you could try:
>
> $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr
> $ openssl req -in file.csr -pubkey -noout
>
> (the '-noout' can be replaced with '-outform pem -out publickey.pem '
> if you need it to go to a file.)

hmm, I'm running openca so I'm not sure where the certificate request are
located at.  Where are they located at  in openssl?

thanks,
Janet

> -Kyle H
>
__
> OpenSSL Project
http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager
[EMAIL PROTECTED]
>





--

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to extract signature from public key using openssl?

2007-05-04 Thread Kyle Hamilton 

Give me a bit, I'm going to set up a test CA environment and figure it out.

-Kyle H

On 5/4/07, Janet N <[EMAIL PROTECTED]> wrote:



>
> But, you could try:
>
> $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr
> $ openssl req -in file.csr -pubkey -noout

# openssl x509 -inform PEM -in usercert.pem -x509toreq -out file.csr
 Getting request Private Key
 no request key file specified


When I checked the file.csr file it is empty.  I tried to throw the -key in
the command did not work :)

thanks,
Janet

> (the '-noout' can be replaced with '-outform pem -out publickey.pem'
> if you need it to go to a file.)
>
> -Kyle H
>
__
> OpenSSL Project
http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager
[EMAIL PROTECTED]
>





--

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to extract signature from public key using openssl?

2007-05-04 Thread Janet N 

Hi Kyle,



What tool is it you're using for DKIM?





DKIM uses openssl library to produce a public and private key. The private
key should be saved on a MTA server. The public key will used in the DNS TXT
record for DKIM.  They use the following openssl command below to produce
the public and private key:

  - Enter the following command to generate your private key:

  openssl genrsa -out rsa.private 1024

  - Enter the following command to generate your public key:

  openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM

  The public key entry in DNS TXT record looks like the following:


mail._domainkey.example.com. IN TXT "k=rsa; t=y;
p=MEwwPQRJKoZIhvcNADAQCQADOwAwOAIxANPpYHdE2tevfEpvL1Tk2dDYv0pF28/f5MxU83x/0b
sn4R4p7waPaz1IbOGs/6bm5QIDAQAB"

The string after *p=* is the base64 encoding of your public key.

If the *rsa.public* file which was generated contains

-BEGIN PUBLIC KEY-
MEwwPQRJKoZIhvcNADAQCQADOwAwOAIxANPpYHdE2tevfEpvL1Tk2dDYv0pF28/f
5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB
-END PUBLIC KEY-

You can find more info about DKIM setup using openssl pub and priv keys at:
http://www.elandsys.com/resources/sendmail/dkim.html





that tool expects, I can find a way to make it possible.

(Technically, if you're using OpenCA, you're using OpenLDAP to store
all of the issued certificates -- and those certificates contain the
keys necessary.)

I am sorry that I didn't understand that you're running this on the
server, disseminating information for verifiers.  This explains a lot.
:)

-Kyle H

On 5/4/07, Janet N <[EMAIL PROTECTED]> wrote:
>
> Hello,
>
> >
> > Why do you need to get the public key at the time the certificate is
> > issued?  You already have it.
>
> We are using DKIM (domain key signing), it uses not the x509 public key,
but
> the public key of the private key.  The idea is to extract the rsa
public
> key at the time the CA issue the cert and load this rsa public key to a
db.
> This program is run against the CA.
>
> > The CA can extract the public key from the certificate request.
>
> I see, so I can't extract the public key
> -BEGIN PUBLIC KEY-
> MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq
> oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/
> E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP
> vVuGCAqfaps8J0FjOQIDAQAB
> -END PUBLIC KEY-
>
> from the already issued certificate?
>
> > The certificate contains the public key.
> > But you already have the public key, since you sent the certificate
> > request in the first place, and you have the private key that the
> > public key was generated with.
>
>
> The user won't be the one extracting the public key but the program
running
> against the CA server.
>
> >
> > But, you could try:
> >
> > $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr
> > $ openssl req -in file.csr -pubkey -noout
> >
> > (the '-noout' can be replaced with '-outform pem -out publickey.pem '
> > if you need it to go to a file.)
>
> hmm, I'm running openca so I'm not sure where the certificate request
are
> located at.  Where are they located at  in openssl?
>
> thanks,
> Janet
>
> > -Kyle H
> >
> __
> > OpenSSL Project
> http://www.openssl.org
> > User Support Mailing Listopenssl-users@openssl.org
> > Automated List Manager
> [EMAIL PROTECTED]
> >
>
>


--

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to extract signature from public key using openssl?

2007-05-05 Thread Kyle Hamilton 

Thanks for the info on DKIM.

$ openssl x509 -inform pem -in cacert.pem -noout -pubkey

This will do what you want, but it is suboptimal, as it outputs the
key onto stdout (which can be redirected to a file).

I consider this to be bugged, based on available documentation.  The
documentation states that '-out [file]' is supposed to redirect the
output to file, and that -pubkey is supposed to output the public key.
Hence, I'd expect:

$ openssl x509 -inform pem -in cert.pem -pubkey -out pubkey.pem -outform pem

to output only the public key to pubkey.pem.

The observed behavior is that it prints the public key to stdout,
while outputting the entire certificate to pubkey.pem.  This is
confusing.

cc:'ed to RT for issue management.

-Kyle H

On 5/4/07, Janet N <[EMAIL PROTECTED]> wrote:

Hi Kyle,


>
> What tool is it you're using for DKIM?



DKIM uses openssl library to produce a public and private key. The private
key should be saved on a MTA server. The public key will used in the DNS TXT
record for DKIM.  They use the following openssl command below to produce
the public and private key:

Enter the following command to generate your private key:


openssl genrsa -out rsa.private 1024
Enter the following command to generate your public key:


openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM

The public key entry in DNS TXT record looks like the following:

mail._domainkey.example.com. IN TXT "k=rsa; t=y;
p=MEwwPQRJKoZIhvcNADAQCQADOwAwOAIxANPpYHdE2tevfEpvL1Tk2dDYv0pF28/f5MxU83x/0b
sn4R4p7waPaz1IbOGs/6bm5QIDAQAB"

The string after p= is the base64 encoding of your public key.

If the rsa.public file which was generated contains


-BEGIN PUBLIC KEY-
MEwwPQRJKoZIhvcNADAQCQADOwAwOAIxANPpYHdE2tevfEpvL1Tk2dDYv0pF28/f
5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB
 -END PUBLIC KEY-


You can find more info about DKIM setup using openssl pub and priv keys at:
http://www.elandsys.com/resources/sendmail/dkim.html



> that tool expects, I can find a way to make it possible.
> (Technically, if you're using OpenCA, you're using OpenLDAP to store
> all of the issued certificates -- and those certificates contain the
> keys necessary.)
>
> I am sorry that I didn't understand that you're running this on the
> server, disseminating information for verifiers.  This explains a lot.
> :)
>
> -Kyle H
>
> On 5/4/07, Janet N < [EMAIL PROTECTED]> wrote:
> >
> > Hello,
> >
> > >
> > > Why do you need to get the public key at the time the certificate is
> > > issued?  You already have it.
> >
> > We are using DKIM (domain key signing), it uses not the x509 public key,
but
> > the public key of the private key.  The idea is to extract the rsa
public
> > key at the time the CA issue the cert and load this rsa public key to a
db.
> > This program is run against the CA.
> >
> > > The CA can extract the public key from the certificate request.
> >
> > I see, so I can't extract the public key
> > -BEGIN PUBLIC KEY-
> >
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq
> >
oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/
> >
E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP
> > vVuGCAqfaps8J0FjOQIDAQAB
> > -END PUBLIC KEY-
> >
> > from the already issued certificate?
> >
> > > The certificate contains the public key.
> > > But you already have the public key, since you sent the certificate
> > > request in the first place, and you have the private key that the
> > > public key was generated with.
> >
> >
> > The user won't be the one extracting the public key but the program
running
> > against the CA server.
> >
> > >
> > > But, you could try:
> > >
> > > $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr
> > > $ openssl req -in file.csr -pubkey -noout
> > >
> > > (the '-noout' can be replaced with '-outform pem -out publickey.pem '
> > > if you need it to go to a file.)
> >
> > hmm, I'm running openca so I'm not sure where the certificate request
are
> > located at.  Where are they located at  in openssl?
> >
> > thanks,
> > Janet
> >
> > > -Kyle H
> > >
> >
__
> > > OpenSSL Project
> > http://www.openssl.org
> > > User Support Mailing Listopenssl-users@openssl.org
> > > Automated List Manager
> > [EMAIL PROTECTED]
> > >
> >
> >
>
>
> --
>
> -Kyle H
>
__
> OpenSSL Project
http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager
[EMAIL PROTECTED]
>





--

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to extract signature from public key using openssl?

2007-05-18 Thread Janet N 

Hi Kyle and RT,

I want to know the status of the bug  that "-out" of openssl does not
redirect the stdout to a file.  Instead the command below prints the entire
certificate to pubkey.pem and the extracted cert (pubkey) to the screen:

$ openssl x509 -inform pem -in cert.pem -pubkey -out pubkey.pem -outform pem

Is there a way I can extract the pubkey from a csr (certificate signing
request) using openssl?  I want to avoid using ">" for redirection to stdout
if possible.

Thanks,
Janet


On 5/5/07, Kyle Hamilton <[EMAIL PROTECTED]> wrote:


Thanks for the info on DKIM.

$ openssl x509 -inform pem -in cacert.pem -noout -pubkey

This will do what you want, but it is suboptimal, as it outputs the
key onto stdout (which can be redirected to a file).

I consider this to be bugged, based on available documentation.  The
documentation states that '-out [file]' is supposed to redirect the
output to file, and that -pubkey is supposed to output the public key.
Hence, I'd expect:

$ openssl x509 -inform pem -in cert.pem -pubkey -out pubkey.pem -outform
pem

to output only the public key to pubkey.pem.

The observed behavior is that it prints the public key to stdout,
while outputting the entire certificate to pubkey.pem.  This is
confusing.

cc:'ed to RT for issue management.

-Kyle H

On 5/4/07, Janet N <[EMAIL PROTECTED]> wrote:
> Hi Kyle,
>
>
> >
> > What tool is it you're using for DKIM?
>
>
>
> DKIM uses openssl library to produce a public and private key. The
private
> key should be saved on a MTA server. The public key will used in the DNS
TXT
> record for DKIM.  They use the following openssl command below to
produce
> the public and private key:
>
> Enter the following command to generate your private key:
>
>
> openssl genrsa -out rsa.private 1024
> Enter the following command to generate your public key:
>
>
> openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
>
> The public key entry in DNS TXT record looks like the following:
>
> mail._domainkey.example.com. IN TXT "k=rsa; t=y;
>
p=MEwwPQRJKoZIhvcNADAQCQADOwAwOAIxANPpYHdE2tevfEpvL1Tk2dDYv0pF28/f5MxU83x/0b
> sn4R4p7waPaz1IbOGs/6bm5QIDAQAB"
>
> The string after p= is the base64 encoding of your public key.
>
> If the rsa.public file which was generated contains
>
>
> -BEGIN PUBLIC KEY-
> MEwwPQRJKoZIhvcNADAQCQADOwAwOAIxANPpYHdE2tevfEpvL1Tk2dDYv0pF28/f
> 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB
>  -END PUBLIC KEY-
>
>
> You can find more info about DKIM setup using openssl pub and priv keys
at:
> http://www.elandsys.com/resources/sendmail/dkim.html
>
>
>
> > that tool expects, I can find a way to make it possible.
> > (Technically, if you're using OpenCA, you're using OpenLDAP to store
> > all of the issued certificates -- and those certificates contain the
> > keys necessary.)
> >
> > I am sorry that I didn't understand that you're running this on the
> > server, disseminating information for verifiers.  This explains a lot.
> > :)
> >
> > -Kyle H
> >
> > On 5/4/07, Janet N < [EMAIL PROTECTED]> wrote:
> > >
> > > Hello,
> > >
> > > >
> > > > Why do you need to get the public key at the time the certificate
is
> > > > issued?  You already have it.
> > >
> > > We are using DKIM (domain key signing), it uses not the x509 public
key,
> but
> > > the public key of the private key.  The idea is to extract the rsa
> public
> > > key at the time the CA issue the cert and load this rsa public key
to a
> db.
> > > This program is run against the CA.
> > >
> > > > The CA can extract the public key from the certificate request.
> > >
> > > I see, so I can't extract the public key
> > > -BEGIN PUBLIC KEY-
> > >
> MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq
> > >
> oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/
> > >
> E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP
> > > vVuGCAqfaps8J0FjOQIDAQAB
> > > -END PUBLIC KEY-
> > >
> > > from the already issued certificate?
> > >
> > > > The certificate contains the public key.
> > > > But you already have the public key, since you sent the
certificate
> > > > request in the first place, and you have the private key that the
> > > > public key was generated with.
> > >
> > >
> > > The user won't be the one extracting the public key but the program
> running
> > > against the CA server.
> > >
> > > >
> > > > But, you could try:
> > > >
> > > > $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr
> > > > $ openssl req -in file.csr -pubkey -noout
> > > >
> > > > (the '-noout' can be replaced with '-outform pem -out
publickey.pem '
> > > > if you need it to go to a file.)
> > >
> > > hmm, I'm running openca so I'm not sure where the certificate
request
> are
> > > located at.  Where are they located at  in openssl?
> > >
> > > thanks,
> > > Janet
> > >
> > > > -Kyle H
> > > >
> > >
> __
> > > > OpenSSL Project
> > > http://www.openssl.org
> > > > Use

Re: how to extract signature from public key using openssl?

2007-05-03 Thread Kyle Hamilton 

The CA doesn't generate the public key in your certificate.  You
generate it, and you send it to the CA to be bound to your identity --
the CA uses its private key to sign the certificate, and the verifier
already has the CA's public key to verify with.

Without the public key in your certificate matching the private key in
your private key file, you cannot prove that you have the correct
private key to the key in the certificate.

What this means is that the public key output from your openssl rsa
command is the same data that you would get if you extracted the
public key from the certificate.  You don't need to extract it from
the certificate.

Use:

$ openssl rsa -in rsa.public -noout -text

to verify that it is the same.

-Kyle H

On 5/3/07, Janet N <[EMAIL PROTECTED]> wrote:

Hi,

I have a certificate in pem format issued to me by a CA, and a private key
 which I generated.  Since I need to do domain key signing (dkim), I was
asked to
 use the followng openssl command to generate the public key:

$ openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM

Since I've already gotten a public key from the CA is there anyway that I
can extract the
info in my public key to produce the same result as the above openssl
command?

The following is what I need to get out from my public key (openssl x509 -in
public.key -nnout), for ex:
Modulus (1024 bit):

00:a0:f3:2a:3a:ac:38:6c:36:2c:14:7d:54:77:ec:

78:05:e1:b5:aa:a0:6d:77:35:df:57:2d:3f:99:d1:

52:f3:0a:45:89:64:e7:73:18:d4:27:9e:6e:ee:8e:

84:3c:81:bc:5e:0e:f2:28:f5:11:b9:23:77:99:b5:

e0:70:0f:dd:4d:7f:a3:ff:13:d9:6f:25:00:cb:d9:

09:f3:e0:45:c7:fc:25:56:f4:37:84:7e:f6:35:50:

93:7d:91:ce:aa:e8:a9:18:10:f5:ac:b2:f5:6f:94:

33:a9:da:c9:5b:10:a6:42:26:d6:8f:bd:5b:86:08:
0a:9f:6a:9b:3c:27:41:63:39
Exponent: 65537 (0x10001)


Thanks any help is much appreciated.





--

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to extract signature from public key using openssl?

2007-05-03 Thread Kyle Hamilton 

My apologies:

$ openssl rsa -pubin -in rsa.public -noout -text

-Kyle H

On 5/3/07, Kyle Hamilton <[EMAIL PROTECTED]> wrote:

The CA doesn't generate the public key in your certificate.  You
generate it, and you send it to the CA to be bound to your identity --
the CA uses its private key to sign the certificate, and the verifier
already has the CA's public key to verify with.

Without the public key in your certificate matching the private key in
your private key file, you cannot prove that you have the correct
private key to the key in the certificate.

What this means is that the public key output from your openssl rsa
command is the same data that you would get if you extracted the
public key from the certificate.  You don't need to extract it from
the certificate.

Use:

$ openssl rsa -in rsa.public -noout -text

to verify that it is the same.

-Kyle H

On 5/3/07, Janet N <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have a certificate in pem format issued to me by a CA, and a private key
>  which I generated.  Since I need to do domain key signing (dkim), I was
> asked to
>  use the followng openssl command to generate the public key:
>
> $ openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
>
> Since I've already gotten a public key from the CA is there anyway that I
> can extract the
> info in my public key to produce the same result as the above openssl
> command?
>
> The following is what I need to get out from my public key (openssl x509 -in
> public.key -nnout), for ex:
> Modulus (1024 bit):
>
> 00:a0:f3:2a:3a:ac:38:6c:36:2c:14:7d:54:77:ec:
>
> 78:05:e1:b5:aa:a0:6d:77:35:df:57:2d:3f:99:d1:
>
> 52:f3:0a:45:89:64:e7:73:18:d4:27:9e:6e:ee:8e:
>
> 84:3c:81:bc:5e:0e:f2:28:f5:11:b9:23:77:99:b5:
>
> e0:70:0f:dd:4d:7f:a3:ff:13:d9:6f:25:00:cb:d9:
>
> 09:f3:e0:45:c7:fc:25:56:f4:37:84:7e:f6:35:50:
>
> 93:7d:91:ce:aa:e8:a9:18:10:f5:ac:b2:f5:6f:94:
>
> 33:a9:da:c9:5b:10:a6:42:26:d6:8f:bd:5b:86:08:
> 0a:9f:6a:9b:3c:27:41:63:39
> Exponent: 65537 (0x10001)
>
>
> Thanks any help is much appreciated.
>
>


--

-Kyle H




--

-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]