-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hello! i would like to use tinc with public keys which are extracted from x509 certificates. the only public key format i was able to extract from certificates with openssl commands looked like this: - -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwXDZs8EBb/JyZ9daB3Zk9WHxD ULpek5NANbuHikHe8drH+QdE6DZ8qo4IXroDlT53yR7y39hmB8c1a+vryqORe2dl gK6WAlyIopjS7MY/4+gEgeXnkKjNWf9DavY/XySWwxDBEbX8DUzsBoJFeAsvu6tl CeINpU3Fvv/7Vfcy5wIDAQAB - -----END PUBLIC KEY----- i think this is the X.509 subjectPublicKeyInfo format. the public keys that tinc generates look like that - -----BEGIN RSA PUBLIC KEY----- MIGJAoGBALBcNmzwQFv8nJn11oHdmT1YfENQul6Tk0A1u4eKQd7x2sf5B0ToNnyq jgheugOVPnfJHvLf2GYHxzVr6+vKo5F7Z2WArpYCXIiimNLsxj/j6ASB5eeQqM1Z /0Nq9j9fJJbDEMERtfwNTOwGgkV4Cy+7q2UJ4g2lTcW+//tV9zLnAgMBAAE- -----END RSA PUBLIC KEY----- which may be a PKCS #1 RSAPublicKey (?) unfortunately tinc crashes with a segementation fault when i try to use the first format: Trying to connect to mtx1 (172.16.1.1 port 655) Connected to mtx1 (172.16.1.1 port 655) Sending ID to mtx1 (172.16.1.1 port 655): 0 mtx58 17 Sending 11 bytes of metadata to mtx1 (172.16.1.1 port 6 Got ID from mtx1 (172.16.1.1 port 655): 0 mtx1 17 Sending METAKEY to mtx1 (172.16.1.1 port 655): 1 94 64 0 0 57C9352011BC165C8DFCCB0E9FCBC795C0B1E21014694F4E37B9BFF8BBAC210CE6D4F9293A 02985F4AF49F7181F8E793E39CAE8406D8FDC09610A301FC8337C426DC56BDF0B16D803A1F3337 A3C02538301DB424310AE84C034389768DDC164FDBD3E8A2A9DBFC6E30872AE4512EAD01D30352 08EDC185F684BE0979ED0FAACC Sending 269 bytes of metadata to mtx1 (172.16.1.1 port 655) Got METAKEY from mtx1 (172.16.1.1 port 655): 1 94 64 00940CFADF1B814D823495F0 1D8F4C5319953417CA04771401B07EC683E6802AD3C29B024AB14AB24E783EA9BD3DF125A71347 C258DB235BE0152D9040AF039403DDB1ED76A908C5C19893A180723AE8623B1716DA9B7DCB280D 443FB2B787A2C2647249D43C07ACE0A7F4FA0288DEE53EABFE9360A008E03416084F2AA4E38D21 Got fatal signal 11 (Segmentation fault) Checkpoint trace: protocol_auth.c:215 <- protocol.c:135 <- meta.c:103 <- net.c:266 <- net.c:119 <- event.c:93 <- meta.c:44 <- protocol.c:74 <- protocol_auth.c:142 <- protocol_auth.c:131 <- conf.c:146 <- conf.c:106 <- conf.c:146 <- conf.c:106 <- conf.c:183 <- conf.c:106... dows anyone know a way to convert the first key format to one tinc understands? or is there a way tinc can handle the subjectPublicKeyInfo format? looking at the source it seems like it's supposed to be able to read both formats. thanks for your help, bruno -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFALQJwfg2jtUL97G4RAj5sAJoCMNEs7zeKy1JU4y6AoeXQuWrIqQCgq4IR qIWYg0dMvnBYSNLzcGDmneg=QFAJ -----END PGP SIGNATURE----- Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://tinc.nl.linux.org/
On Fri, Feb 13, 2004 at 05:59:28PM +0100, Bruno Randolf wrote:> i would like to use tinc with public keys which are extracted from x509 > certificates. the only public key format i was able to extract fromcertificates with openssl commands looked like this:> > - -----BEGIN PUBLIC KEY-----[...]> i think this is the X.509 subjectPublicKeyInfo format. > the public keys that tinc generates look like that > > - -----BEGIN RSA PUBLIC KEY-----[...]> which may be a PKCS #1 RSAPublicKey (?) > unfortunately tinc crashes with a segementation fault when i try to use the > first format:[...]> dows anyone know a way to convert the first key format to one tinc > understands? or is there a way tinc can handle the subjectPublicKeyInfo > format? looking at the source it seems like it's supposed to be able to read > both formats.tinc tries both PEM_read_RSAPublicKey() and PEM_read_RSA_PUBKEY(), which treat keys a bit different although I don't have a clue what the difference is. But apparently it didn't work for your key. I suggest you ask the OpenSSL developers. Alternatively, you could try this version of tinc using gnutls and libgcrypt: http://sliepen.eu.org/~guus/tinc-1.0-gnutls.tar.gz It uses TLS for the meta connections, and accepts PEM encoded X.509 certificates directly. Note that this version is not supported, not tested, and currently only prints a warning if a certificate is not signed by a trusted party. You'll have to hack in the source code if you want it to work properly. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.eu.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20040214/a6e0d229/attachment.pgp
Reasonably Related Threads
- [PATCH] ssh-keygen: support public key import/export using SubjectPublicKeyInfo
- [Bug 2567] New: Wrong terminology used for ssh-keygen "-m" option
- Problem compiling tinc-1.0.8 on gcc-2.95
- Wishlist: add a variable %{x509} expanding to the client cert in Dovecot-auth
- compile cvs trunk