EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Cannot save SSH public key after importing X.509 cert - error 3333

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#37530
Posted: 08/23/2016 06:48:43
by Nando Dessena (Basic support level)
Joined: 08/23/2016
Posts: 3
Hello,
I have read articles and searched around in the forum but I couldn't find anything relevant, so I am posting here. I am trying to create an SSH key by importing an X.509 certificate in PEM format and then saving the public key to a string. Here's the code I am using (modified from the SSHSFTPServerDemo sample):

Code
  C := TElX509Certificate.Create(nil);
  C.LoadFromBufferPEM(@Cert[1], Length(Cert), '');
  K := TElSSHKey.Create;
  K.Import©;
//  K.Algorithm := ALGORITHM_RSA;
//  K.KeyFormat := kfOpenSSH;

  SetLength(FPublicKey, 10000);
  LLength := Length(FPublicKey);
  LResult := K.SavePublicKey(@FPublicKey[1], LLength);
  SetLength(FPublicKey, LLength);
  if LResult <> 0 then
  begin
    K.SavePublicKey(@FPublicKey[1], LLength);
    Result := true;
  end
  else
    Result := false;
  K.Free;
  C.Free;

The SavePublicKey call always returns 3333 (unsupported algorithm) regardless of me setting the Algorithm and/or KeyFormat properties. The Import call appears to work fine (how do I check?), as does the LoadFromBufferPEM call.

It looks like the code doesn't know what the public key algorithm is. I have tried this openssl command:

Code
openssl x509 -in c:\temp\cert\cbi.pem -text -noout

and it says

Code
Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)

What am I missing?

Thanks
#37534
Posted: 08/23/2016 07:31:04
by Eugene Mayevski (EldoS Corp.)

Thank you for your interest in our products.

The first thing to do is check the steps taken. LoadFromStreamPEM method returns an integer result code. Please check if it's 0.


Sincerely yours
Eugene Mayevski
#37539
Posted: 08/23/2016 09:16:56
by Nando Dessena (Basic support level)
Joined: 08/23/2016
Posts: 3
Thanks. It's actually LoadFromBufferPEM and yes, it returns 0.
#37542
Posted: 08/23/2016 10:01:35
by Eugene Mayevski (EldoS Corp.)

The combination of settings which you have commented on lines 5 and 6 should work correctly. If it doesn't work for you, then we'd need to test your code and your certificate locally (but this is available only to customers with Premium support).


Sincerely yours
Eugene Mayevski
#37543
Posted: 08/23/2016 11:14:26
by Nando Dessena (Basic support level)
Joined: 08/23/2016
Posts: 3
My fault; I seem to be able to extract the key now but I still cannot use it for SFTP authentication (SSHSFTPServerDemo + SimpleSftpDemo) since the SHA fingerprints of the private and public key appear to be different.

Should I open a new topic for this? I have confirmed through the MessagesDemo that I can use the original X.509 cert + privk to encrypt and decrypt files correctly, so it still seems a key extraction problem to me.

P.S. Is Premium support something you get when you buy a license or sold separately? Right now I am trying to understand if the library fits my customer's needs.

Thanks
#37548
Posted: 08/23/2016 11:59:30
by Eugene Mayevski (EldoS Corp.)

Quote
Nando Dessena wrote:
My fault; I seem to be able to extract the key now but I still cannot use it for SFTP authentication (SSHSFTPServerDemo + SimpleSftpDemo) since the SHA fingerprints of the private and public key appear to be different.


Of course, they will be different. "fingerprint" is a hash, and since the key material is different, the hashes are different as well.

Quote
Nando Dessena wrote:
Should I open a new topic for this? I have confirmed through the MessagesDemo that I can use the original X.509 cert + privk to encrypt and decrypt files correctly, so it still seems a key extraction problem to me.


I assume that you tried to use the private key as you have it now? I am afraid this won't work.

You probably need to import the certificate's private key to the same certificate, and then convert everything to SSH keypair and then use that keypair.

Quote
Nando Dessena wrote:
P.S. Is Premium support something you get when you buy a license or sold separately? Right now I am trying to understand if the library fits my customer's needs.


Premium support is included for certain period of time with new licenses, and can also be purchased separately via https://www.eldos.com/support/calc.php .

If you purchase Premium support and the the "main" product license is purchased while Premium support lasts, we can reduce the price of the product license by the cost of the premium support license (the term of the premium support coming with the product license is recalculated accordingly).


Sincerely yours
Eugene Mayevski
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 240 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!