EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Can't load DSA public key in PEM format?

Posted: 02/06/2014 13:17:11
by Peter Palotas (Basic support level)
Joined: 11/01/2012
Posts: 49

I have generated a 1024 bit DSA key using openssl as follows:

openssl dsaparam -out dsaparam.pem 1024
openssl gendsa -des3 -out privkey.pem dsaparam.pem

Loading this privkey.pem into TElDSAKeyMaterial using the Load-method works just fine, and both PublicKey and SecretKey returns true as expected.

I then proceed to extract the public key part using openssl again:

openssl dsa -in privkey.pem -pubout > pubkey.pem

However, this key I cannot load into TElDSAKeyMaterial. I've tried both with the Load and LoadPublic methods, but in both cases I get an exception saying "Invalid public key".

Am I doing something wrong here?

Using SecureBlackbox.NET
Posted: 02/06/2014 16:10:21
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

Indeed TElDSAKeyMaterial doesn't support loading of public keys in the format that OpenSSL generates. You can add this feature to our wish-list: https://www.eldos.com/sbb/wishlist.php#product
Posted: 02/06/2014 16:33:02
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 442

Actually, OpenSSL key should be PEM-encoded PKCS#8 wrapped binary key data, and after PEM-decoding it (via SBPEM unit/namespace) you should be able to load it.
Posted: 02/07/2014 03:38:24
by Peter Palotas (Basic support level)
Joined: 11/01/2012
Posts: 49

I find it a bit odd that it can load the DSA keypair generated by OpenSSL, but not a public key? Anyway, I will add that to the wishlist.

Using SBPEM.Unit.Decode on the public DSA .pem-file, I get a byte array of size 443, but then calling TElDSAKeyMaterial.LoadPublic with this resulting array doesn't seem to work either, I still get an exception "Invalid public key".

What formats do the Load method really support?
Posted: 02/07/2014 04:44:04
by Vsevolod Ievgiienko (Team)

Load method supports PKCS#8 format for private keys and DSAPublicKey format described in RFC 3279 for public keys. OpenSSL generates public key file in another format.
Posted: 02/07/2014 05:19:55
by Peter Palotas (Basic support level)
Joined: 11/01/2012
Posts: 49

Okay, thanks for the clarification.
Posted: 06/06/2014 07:03:57
by wpjackjack.wordpress.com (Basic support level)
Joined: 06/06/2014
Posts: 9
I probably have the same problem. Currently I'm evaluating CryptoBlackbox for verifying signatures in Delphi created with OpenSSL in PHP.
I tried your "VerifyDetached" sample and it worked out of the box with RSA keys and signatures I created with openssl_sign. Great!

However, if I try to verify a DSA signature in the sample application I get several error messages basically saying it's invalid.
The key and signature are created with OPENSSL_KEYTYPE_DSA and "dss1".
I've attached a file to reproduce it. (I combined the message, the public key and the signature in one file, because I'm not allowed to upload an archive with several files here.)

Is there any workaround for this issue? Or is it currently simply impossible to use your product for PHP-OpenSSL DSA verification? Any outlook possible?

[ Download ]
Posted: 06/06/2014 07:24:04
by Vsevolod Ievgiienko (Team)

This public key format is not supported at the moment. Please convert the key to another supported format to use it.
Posted: 06/06/2014 07:30:48
by wpjackjack.wordpress.com (Basic support level)
Joined: 06/06/2014
Posts: 9
As a novice cryptographic user I don't see a difference between a right and wrong public key format. Any hint on how to get the OpenSSL format into the desired format?
Posted: 06/06/2014 07:40:38
by Vsevolod Ievgiienko (Team)

OpenSSL command for conversion to supported PFX format will look like this:

openssl pkcs12 -inkey test_key.pem -in test_cert.cert -export -out new_pfx.pfx



Topic viewed 3808 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!