public key format - solved

Bruno Randolf bruno.randolf at 4g-systems.biz
Tue Feb 17 15:58:08 CET 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hello!

i think i found the reason for this bug and a solution :)

the probem is in net_setup.c function setup_myself(): first the private key is 
read, and then if(!read_rsa_public_key(myself->connection)) tries to read the 
public key from the config file. in read_rsa_public_key() 
PEM_read_RSAPublicKey() will return NULL because it can't read the 
subjectPublicKeyInfo format. this sets the RSA*, which contained the private 
key to NULL. afterwards the public key is read with PEM_read_RSA_PUBKEY(), 
but the private key is lost. 

this could obviously be fixed in read_rsa_public_key(), but reading the public 
key for "myself" is not necessary anyways, since it's included in the private 
key anyways - so i just commented out:
	
	//br1: not necessary because private key already contains everything
	// if(!read_rsa_public_key(myself->connection))
	//	return false;

in net_setup.c (line 256, 257) and everything works fine.

greetings, 
bruno


On Saturday 14 February 2004 00:25, Guus Sliepen wrote:
> On Fri, Feb 13, 2004 at 05:59:28PM +0100, Bruno Randolf wrote:
> > i would like to use tinc with public keys which are extracted from x509
> > certificates. the only public key format i was able to extract from
>
>  certificates with openssl commands looked like this:
> > - -----BEGIN PUBLIC KEY-----
>
> [...]
>
> > i think this is the X.509 subjectPublicKeyInfo format.
> > the public keys that tinc generates look like that
> >
> > - -----BEGIN RSA PUBLIC KEY-----
>
> [...]
>
> > which may be a PKCS #1 RSAPublicKey (?)
> > unfortunately tinc crashes with a segementation fault when i try to use
> > the first format:
>
> [...]
>
> > dows anyone know a way to convert the first key format to one tinc
> > understands? or is there a way tinc can handle the subjectPublicKeyInfo
> > format? looking at the source it seems like it's supposed to be able to
> > read both formats.
>
> tinc tries both PEM_read_RSAPublicKey() and PEM_read_RSA_PUBKEY(), which
> treat keys a bit different although I don't have a clue what the
> difference is. But apparently it didn't work for your key. I suggest you
> ask the OpenSSL developers.
>
> Alternatively, you could try this version of tinc using gnutls and
> libgcrypt:
>
> http://sliepen.eu.org/~guus/tinc-1.0-gnutls.tar.gz
>
> It uses TLS for the meta connections, and accepts PEM encoded X.509
> certificates directly. Note that this version is not supported, not
> tested, and currently only prints a warning if a certificate is not
> signed by a trusted party. You'll have to hack in the source code if you
> want it to work properly.

- -- 
4G Systeme GmbH
Am Sandtorkai 71
20457 Hamburg
fon: +49 (0)40 / 48 40 33 28
fax: +49 (0)40 / 48 40 33 30
mail: bruno.randolf at 4g-systems.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAMiwGfg2jtUL97G4RAny5AKCGyYpLXIhvOJNmtVLDsmvMOs1GWQCeKClC
zgIbRTnQtccSbrPW4gtOtjQ=
=pBaI
-----END PGP SIGNATURE-----


Tinc:         Discussion list about the tinc VPN daemon
Archive:      http://mail.nl.linux.org/lists/
Tinc site:    http://tinc.nl.linux.org/





More information about the Tinc mailing list