Re: Re: Trying to understand a "bad decrypt" error.

Thu, 18 Dec 2008 16:46:20 -0800 

Kyle,  it turns out that my problem was that I was reading the
password from a file while generating the CA.  Something about that
was causing the password to get corrupted I think...

openssl req -config %OPENSSL_CONF% -new -x509 -extensions v3_ca
-keyout %OPENSSL_HOME%\myCompany\CA\private\cakey.pem -out
%OPENSSL_HOME%\myCompany\CA\cacert.pem -days 1096 -passout
file:%OPENSSL_HOME%\myCompany\CA\private\mycapass.txt

Thanks for all your help though.
-Jon



On Wed, Dec 17, 2008 at 9:38 AM, Kyle Hamilton <aerow...@gmail.com> wrote:
> One way to check it is:
>
> openssl rsa -inform PEM -in whateveryourfilenameis.pem -check -noout
>
> KyleMac:ossl kyanha$ openssl rsa -inform PEM -in testkey.pem -check -noout
> Enter pass phrase for testkey.pem:
> unable to load Private Key
> 1702:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
> decrypt:evp_enc.c:461:
> 1702:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:
>
> This will prompt for your passphrase.  I tried using "changeit" but it
> does not work.  This means that you're simply entering the wrong
> passphrase.
>
> Try using:
>
> openssl genrsa -des3 2048
>
> (Honestly, I'd suggest using the -sha256 parameter instead of -des3,
> but that's just because I don't trust DES at this point.)
>
> Anyway, the envelope around the key is intact.  The passphrase just isn't 
> right.
>
> -Kyle H
>
> On Wed, Dec 17, 2008 at 8:33 AM,  <django...@gmail.com> wrote:
>> Thanks very much for your input. That is what I suspected but I tried over
>> and over again and I tried to be very careful. The code snippet I posted
>> here suggests that the password isn't bad but the real problem is a "wrong
>> final block length? Thats hard to believe also. That is why I posted my test
>> key.
>>
>> The key I posted on this forum was just a test. The password "changeit"
>> should work for it but it doesn't.
>>
>> I'll keep trying. I'll install a brand new OpenSSL and start from scratch
>> again.
>>
>> -Jon
>>
>>
>> On Dec 17, 2008 1:18am, Kyle Hamilton <aerow...@gmail.com> wrote:
>>> You're not entering the correct passphrase for your private key.
>>>
>>>
>>>
>>>
>>>
>>> JSYK, since you posted (even an encrypted form of) your private key to
>>>
>>>
>>> a public list, you should treat it as compromised, generate a new
>>>
>>>
>>> keypair, and rekey your CA.
>>>
>>>
>>>
>>>
>>>
>>> -Kyle H
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Dec 16, 2008 at 11:43 AM, Jon Williams (TS)
>>>
>>>
>>> jwilli...@thinkstream.com> wrote:
>>>
>>>
>>> > I am still new to SSL.  I am hoping for some help.  I am trying to
>>>
>>>
>>> > understand a "bad decrypt" error.  Here is what I tried to do:
>>>
>>>
>>> >
>>>
>>>
>>> >
>>>
>>>
>>> > Signing CSR and saving tomcatcer.pem .
>>>
>>>
>>> > openssl ca -config %OPENSSL_HOME%\bin\openssl.cfg -policy
>>> > policy_anything
>>>
>>>
>>> > -out tomcatcer.pem -outdir %OPENSSL_HOME%\bin\PEM\myCompany -infiles
>>>
>>>
>>> > %OPENSSL_HOME%\bin\PEM\myCompany\tomcat.csr
>>>
>>>
>>> > Using configuration from C:\OpenSSL\bin\openssl.cfg
>>>
>>>
>>> > Loading 'screen' into random state - done
>>>
>>>
>>> > Enter pass phrase for c:\OpenSSL/bin/PEM/myCompany/CA/private/cakey.pem:
>>>
>>>
>>> > unable to load CA private key
>>>
>>>
>>> > 3048:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
>>>
>>>
>>> > decrypt:.\crypto\evp\evp_enc.c:461:
>>>
>>>
>>> > 3048:error:0906A065:PEM routines:PEM_do_header:bad
>>>
>>>
>>> > decrypt:.\crypto\pem\pem_lib.c:425:
>>>
>>>
>>> >
>>>
>>>
>>> >
>>>
>>>
>>> > Here are snippets from the source files causing the issue:
>>>
>>>
>>> > evp_enc.c
>>>
>>>
>>> > -----
>>>
>>>
>>> > int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int
>>> > *outl)
>>>
>>>
>>> >   {
>>>
>>>
>>> >   int i,n;
>>>
>>>
>>> >   unsigned int b;
>>>
>>>
>>> >
>>>
>>>
>>> >   *outl=0;
>>>
>>>
>>> >   b=ctx->cipher->block_size;
>>>
>>>
>>> >   if (ctx->flags & EVP_CIPH_NO_PADDING)
>>>
>>>
>>> >       {
>>>
>>>
>>> >       if(ctx->buf_len)
>>>
>>>
>>> >           {
>>>
>>>
>>> >
>>>
>>>
>>> >
>>> > EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
>>>
>>>
>>> >           return 0;
>>>
>>>
>>> >           }
>>>
>>>
>>> >       *outl = 0;
>>>
>>>
>>> >       return 1;
>>>
>>>
>>> >       }
>>>
>>>
>>> >   if (b > 1)
>>>
>>>
>>> >       {
>>>
>>>
>>> >       if (ctx->buf_len || !ctx->final_used)
>>>
>>>
>>> >           {
>>>
>>>
>>> >
>>> > EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
>>>
>>>
>>> >           return(0);
>>>
>>>
>>> >           }
>>>
>>>
>>> > ......
>>>
>>>
>>> >
>>>
>>>
>>> >
>>>
>>>
>>> > pem_lib.c  -->  int
>>>
>>>
>>> > --------
>>>
>>>
>>> > int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long
>>> > *plen,
>>>
>>>
>>> >        pem_password_cb *callback,void *u)
>>>
>>>
>>> > ....
>>>
>>>
>>> >   if (!o)
>>>
>>>
>>> >       {
>>>
>>>
>>> >       PEMerr(PEM_F_PEM_DO_HEADER,PEM_R_BAD_DECRYPT);
>>>
>>>
>>> >       return(0);
>>>
>>>
>>> >       }
>>>
>>>
>>> >
>>>
>>>
>>> >
>>>
>>>
>>> >
>>>
>>>
>>> > myKey
>>>
>>>
>>> > -------------
>>>
>>>
>>> >
>>>
>>>
>>> > -----BEGIN RSA PRIVATE KEY-----
>>>
>>>
>>> > Proc-Type: 4,ENCRYPTED
>>>
>>>
>>> > DEK-Info: DES-EDE3-CBC,EEC5B44B6EE71902
>>>
>>>
>>> >
>>>
>>>
>>> > faDb1mS9dBvMbsqTYyhoEKJI0FBKHxT7Zagux9tP2LHFz8F6MIy4+sbt3w6Wg5Hq
>>>
>>>
>>> > rYCX46DoXxqh1kpSbkGIXnltB4FbwIChHkjDE6MMHOJdy7KSyjxuRnXzg+F5AAu1
>>>
>>>
>>> > 208sbMobwy8NIFObk4QtCeo5mi4hZE0nzgBkJXm85F2645pYobbdYhVAHeCzs3Q5
>>>
>>>
>>> > hKwleqhm1jHJl9OKdnhyCBczSq1ZN4bTAgdbc2hHn8jFa4du9jdedf5KrhoQvIwC
>>>
>>>
>>> > 6lDGtRK+Q5+o+FSi/6y2r9SFHso0wMd8WHzRErKw3+xU/A8HTUz6lEdVhSWWtQdj
>>>
>>>
>>> > YxBsJB2rW8rAQpdO7cQo2JPieIFGNXyEzI7nUphV0kVkXT9fvXOoVAqT6qD+zJj+
>>>
>>>
>>> > dwReUeuIjfZbgmsHqc1poISKGJlCo1Rq6XBxyVw4xem6WUwTN1T0FdN72WhPDBOb
>>>
>>>
>>> > uSQbcNIuOF+WvZcqNnWfjt4l3ixQIxsPYO5gHDl5ah8OzltvazOFMCQtDNLFBXDJ
>>>
>>>
>>> > by6ZvvW61NT91t1ihMpbUa21sYdW7EHMxwS3lL8CrgJyiG+D4VsyTIsn26C2MpJF
>>>
>>>
>>> > L99bvtAtGAd5T8UerZGnsQ4C80QYbS+i+dJ2heqOxCtvken9+pFAgyXCehY0gI7o
>>>
>>>
>>> > uT/KZuF7k6qXcwWw+/l5TSqZ1NFklnCsWMrWUD7mL+m5ZPrqv+C1/dSobBwjddnX
>>>
>>>
>>> > 2/5uqk6N29ZxrOelq8bkRnL3zLXf1AiisbkKQxbIYAYyH+nkt1hH4KJvtbn1tt+s
>>>
>>>
>>> > kTTxi2JKkhzk5rwJjySqMy8+TZxvp3AEBdCDrEtmJck=
>>>
>>>
>>> > -----END RSA PRIVATE KEY-----
>>>
>>>
>>> >
>>>
>>>
>>> >
>>>
>>>
>>> > ______________________________________________________________________
>>>
>>>
>>> > OpenSSL Project                                 http://www.openssl.org
>>>
>>>
>>> > User Support Mailing List                    openssl-users@openssl.org
>>>
>>>
>>> > Automated List Manager                           majord...@openssl.org
>>>
>>>
>>> >
>>>
>>>
>>> ______________________________________________________________________
>>>
>>>
>>> OpenSSL Project                                 http://www.openssl.org
>>>
>>>
>>> User Support Mailing List                    openssl-users@openssl.org
>>>
>>>
>>> Automated List Manager                           majord...@openssl.org
>>>
>>>
>>>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to