Hi, I have a `Certificates.p12` file that I wish to convert to a `certificates.pem` containing an unencrypted private key in PKCS#1 format. I have previously been able to do this by running:
openssl pkcs12 -in Certificates.p12 -out certificates.pem -nodes -clcerts The resulting `certificates.pem` file has a `PRIVATE KEY` PEM block, as expected. However, the library I'm using <https://github.com/sideshow/apns2/blob/master/certificate/certificate.go#L80> does not understand this PEM block, because it expects it to be a PKCS#1 private key. The ASN.1 structure of a PKCS#1 private key is defined by RFC 3447 <https://tools.ietf.org/html/rfc3447#appendix-A.1.2> as: RSAPrivateKey ::= SEQUENCE { version Version, modulus INTEGER, -- n publicExponent INTEGER, -- e privateExponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER, -- (inverse of q) mod p otherPrimeInfos OtherPrimeInfos OPTIONAL } The bad private key block in my `certificates.pem` does not have this PKCS#1 structure! Instead, its ASN.1 structure looks like this: $ openssl asn1parse -i -in badprivatekey.pem 0:d=0 hl=4 l=1212 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :00 7:d=1 hl=2 l= 13 cons: SEQUENCE 9:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption 20:d=2 hl=2 l= 0 prim: NULL 22:d=1 hl=4 l=1190 prim: OCTET STRING [HEX DUMP]:308204A...very long hex... What is the above format? The documentation for `openssl pkcs12` <https://wiki.openssl.org/index.php/Manual:Pkcs12(1)> only vaguely says that its output is "written in PEM format." I need a stronger guarantee that the private key PEM block is in PKCS#1 format. The strange thing is that `openssl rsa` understands the strange format of the "bad" private key, and can convert it to the right PKCS#1 structure with: openssl rsa -in badprivatekey.pem -out goodprivatekey.pem Although `openssl rsa` understands the input file, the tool seems unable to tell me _why_, i.e. what the format of the input file is. What is the output format of `openssl pkcs12`? Specifically what is the format of its private key block? How do I make `openssl pkcs12` output a correct PKCS#1 private key? Thanks, Jim
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users