public key format - solved
Bruno Randolf
bruno.randolf at 4g-systems.biz
Tue Feb 17 15:58:08 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hello!
i think i found the reason for this bug and a solution :)
the probem is in net_setup.c function setup_myself(): first the private key is
read, and then if(!read_rsa_public_key(myself->connection)) tries to read the
public key from the config file. in read_rsa_public_key()
PEM_read_RSAPublicKey() will return NULL because it can't read the
subjectPublicKeyInfo format. this sets the RSA*, which contained the private
key to NULL. afterwards the public key is read with PEM_read_RSA_PUBKEY(),
but the private key is lost.
this could obviously be fixed in read_rsa_public_key(), but reading the public
key for "myself" is not necessary anyways, since it's included in the private
key anyways - so i just commented out:
//br1: not necessary because private key already contains everything
// if(!read_rsa_public_key(myself->connection))
// return false;
in net_setup.c (line 256, 257) and everything works fine.
greetings,
bruno
On Saturday 14 February 2004 00:25, Guus Sliepen wrote:
> On Fri, Feb 13, 2004 at 05:59:28PM +0100, Bruno Randolf wrote:
> > i would like to use tinc with public keys which are extracted from x509
> > certificates. the only public key format i was able to extract from
>
> certificates with openssl commands looked like this:
> > - -----BEGIN PUBLIC KEY-----
>
> [...]
>
> > i think this is the X.509 subjectPublicKeyInfo format.
> > the public keys that tinc generates look like that
> >
> > - -----BEGIN RSA PUBLIC KEY-----
>
> [...]
>
> > which may be a PKCS #1 RSAPublicKey (?)
> > unfortunately tinc crashes with a segementation fault when i try to use
> > the first format:
>
> [...]
>
> > dows anyone know a way to convert the first key format to one tinc
> > understands? or is there a way tinc can handle the subjectPublicKeyInfo
> > format? looking at the source it seems like it's supposed to be able to
> > read both formats.
>
> tinc tries both PEM_read_RSAPublicKey() and PEM_read_RSA_PUBKEY(), which
> treat keys a bit different although I don't have a clue what the
> difference is. But apparently it didn't work for your key. I suggest you
> ask the OpenSSL developers.
>
> Alternatively, you could try this version of tinc using gnutls and
> libgcrypt:
>
> http://sliepen.eu.org/~guus/tinc-1.0-gnutls.tar.gz
>
> It uses TLS for the meta connections, and accepts PEM encoded X.509
> certificates directly. Note that this version is not supported, not
> tested, and currently only prints a warning if a certificate is not
> signed by a trusted party. You'll have to hack in the source code if you
> want it to work properly.
- --
4G Systeme GmbH
Am Sandtorkai 71
20457 Hamburg
fon: +49 (0)40 / 48 40 33 28
fax: +49 (0)40 / 48 40 33 30
mail: bruno.randolf at 4g-systems.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAMiwGfg2jtUL97G4RAny5AKCGyYpLXIhvOJNmtVLDsmvMOs1GWQCeKClC
zgIbRTnQtccSbrPW4gtOtjQ=
=pBaI
-----END PGP SIGNATURE-----
Tinc: Discussion list about the tinc VPN daemon
Archive: http://mail.nl.linux.org/lists/
Tinc site: http://tinc.nl.linux.org/
More information about the Tinc
mailing list