If you take your passphrase from an input file, it might include the
trailing newline as part of the passphrase. (I haven't checked this,
but it's a possibility. If it does, would this be a bug?)
-Kyle H
On Thu, Dec 18, 2008 at 4:45 PM, Jon Williams <django...@gmail.com> wrote:
> Kyle, it turns out that my problem was that I was reading the
> password from a file while generating the CA. Something about that
> was causing the password to get corrupted I think...
>
> openssl req -config %OPENSSL_CONF% -new -x509 -extensions v3_ca
> -keyout %OPENSSL_HOME%\myCompany\CA\private\cakey.pem -out
> %OPENSSL_HOME%\myCompany\CA\cacert.pem -days 1096 -passout
> file:%OPENSSL_HOME%\myCompany\CA\private\mycapass.txt
>
> Thanks for all your help though.
> -Jon
>
>
>
> On Wed, Dec 17, 2008 at 9:38 AM, Kyle Hamilton <aerow...@gmail.com> wrote:
>> One way to check it is:
>>
>> openssl rsa -inform PEM -in whateveryourfilenameis.pem -check -noout
>>
>> KyleMac:ossl kyanha$ openssl rsa -inform PEM -in testkey.pem -check -noout
>> Enter pass phrase for testkey.pem:
>> unable to load Private Key
>> 1702:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
>> decrypt:evp_enc.c:461:
>> 1702:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:
>>
>> This will prompt for your passphrase. I tried using "changeit" but it
>> does not work. This means that you're simply entering the wrong
>> passphrase.
>>
>> Try using:
>>
>> openssl genrsa -des3 2048
>>
>> (Honestly, I'd suggest using the -sha256 parameter instead of -des3,
>> but that's just because I don't trust DES at this point.)
>>
>> Anyway, the envelope around the key is intact. The passphrase just isn't
>> right.
>>
>> -Kyle H
>>
>> On Wed, Dec 17, 2008 at 8:33 AM, <django...@gmail.com> wrote:
>>> Thanks very much for your input. That is what I suspected but I tried over
>>> and over again and I tried to be very careful. The code snippet I posted
>>> here suggests that the password isn't bad but the real problem is a "wrong
>>> final block length? Thats hard to believe also. That is why I posted my test
>>> key.
>>>
>>> The key I posted on this forum was just a test. The password "changeit"
>>> should work for it but it doesn't.
>>>
>>> I'll keep trying. I'll install a brand new OpenSSL and start from scratch
>>> again.
>>>
>>> -Jon
>>>
>>>
>>> On Dec 17, 2008 1:18am, Kyle Hamilton <aerow...@gmail.com> wrote:
>>>> You're not entering the correct passphrase for your private key.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> JSYK, since you posted (even an encrypted form of) your private key to
>>>>
>>>>
>>>> a public list, you should treat it as compromised, generate a new
>>>>
>>>>
>>>> keypair, and rekey your CA.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -Kyle H
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Dec 16, 2008 at 11:43 AM, Jon Williams (TS)
>>>>
>>>>
>>>> jwilli...@thinkstream.com> wrote:
>>>>
>>>>
>>>> > I am still new to SSL. I am hoping for some help. I am trying to
>>>>
>>>>
>>>> > understand a "bad decrypt" error. Here is what I tried to do:
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> > Signing CSR and saving tomcatcer.pem .
>>>>
>>>>
>>>> > openssl ca -config %OPENSSL_HOME%\bin\openssl.cfg -policy
>>>> > policy_anything
>>>>
>>>>
>>>> > -out tomcatcer.pem -outdir %OPENSSL_HOME%\bin\PEM\myCompany -infiles
>>>>
>>>>
>>>> > %OPENSSL_HOME%\bin\PEM\myCompany\tomcat.csr
>>>>
>>>>
>>>> > Using configuration from C:\OpenSSL\bin\openssl.cfg
>>>>
>>>>
>>>> > Loading 'screen' into random state - done
>>>>
>>>>
>>>> > Enter pass phrase for c:\OpenSSL/bin/PEM/myCompany/CA/private/cakey.pem:
>>>>
>>>>
>>>> > unable to load CA private key
>>>>
>>>>
>>>> > 3048:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
>>>>
>>>>
>>>> > decrypt:.\crypto\evp\evp_enc.c:461:
>>>>
>>>>
>>>> > 3048:error:0906A065:PEM routines:PEM_do_header:bad
>>>>
>>>>
>>>> > decrypt:.\crypto\pem\pem_lib.c:425:
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> > Here are snippets from the source files causing the issue:
>>>>
>>>>
>>>> > evp_enc.c
>>>>
>>>>
>>>> > -----
>>>>
>>>>
>>>> > int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int
>>>> > *outl)
>>>>
>>>>
>>>> > {
>>>>
>>>>
>>>> > int i,n;
>>>>
>>>>
>>>> > unsigned int b;
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> > *outl=0;
>>>>
>>>>
>>>> > b=ctx->cipher->block_size;
>>>>
>>>>
>>>> > if (ctx->flags & EVP_CIPH_NO_PADDING)
>>>>
>>>>
>>>> > {
>>>>
>>>>
>>>> > if(ctx->buf_len)
>>>>
>>>>
>>>> > {
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> >
>>>> > EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
>>>>
>>>>
>>>> > return 0;
>>>>
>>>>
>>>> > }
>>>>
>>>>
>>>> > *outl = 0;
>>>>
>>>>
>>>> > return 1;
>>>>
>>>>
>>>> > }
>>>>
>>>>
>>>> > if (b > 1)
>>>>
>>>>
>>>> > {
>>>>
>>>>
>>>> > if (ctx->buf_len || !ctx->final_used)
>>>>
>>>>
>>>> > {
>>>>
>>>>
>>>> >
>>>> > EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
>>>>
>>>>
>>>> > return(0);
>>>>
>>>>
>>>> > }
>>>>
>>>>
>>>> > ......
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> > pem_lib.c --> int
>>>>
>>>>
>>>> > --------
>>>>
>>>>
>>>> > int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long
>>>> > *plen,
>>>>
>>>>
>>>> > pem_password_cb *callback,void *u)
>>>>
>>>>
>>>> > ....
>>>>
>>>>
>>>> > if (!o)
>>>>
>>>>
>>>> > {
>>>>
>>>>
>>>> > PEMerr(PEM_F_PEM_DO_HEADER,PEM_R_BAD_DECRYPT);
>>>>
>>>>
>>>> > return(0);
>>>>
>>>>
>>>> > }
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> > myKey
>>>>
>>>>
>>>> > -------------
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> > -----BEGIN RSA PRIVATE KEY-----
>>>>
>>>>
>>>> > Proc-Type: 4,ENCRYPTED
>>>>
>>>>
>>>> > DEK-Info: DES-EDE3-CBC,EEC5B44B6EE71902
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> > faDb1mS9dBvMbsqTYyhoEKJI0FBKHxT7Zagux9tP2LHFz8F6MIy4+sbt3w6Wg5Hq
>>>>
>>>>
>>>> > rYCX46DoXxqh1kpSbkGIXnltB4FbwIChHkjDE6MMHOJdy7KSyjxuRnXzg+F5AAu1
>>>>
>>>>
>>>> > 208sbMobwy8NIFObk4QtCeo5mi4hZE0nzgBkJXm85F2645pYobbdYhVAHeCzs3Q5
>>>>
>>>>
>>>> > hKwleqhm1jHJl9OKdnhyCBczSq1ZN4bTAgdbc2hHn8jFa4du9jdedf5KrhoQvIwC
>>>>
>>>>
>>>> > 6lDGtRK+Q5+o+FSi/6y2r9SFHso0wMd8WHzRErKw3+xU/A8HTUz6lEdVhSWWtQdj
>>>>
>>>>
>>>> > YxBsJB2rW8rAQpdO7cQo2JPieIFGNXyEzI7nUphV0kVkXT9fvXOoVAqT6qD+zJj+
>>>>
>>>>
>>>> > dwReUeuIjfZbgmsHqc1poISKGJlCo1Rq6XBxyVw4xem6WUwTN1T0FdN72WhPDBOb
>>>>
>>>>
>>>> > uSQbcNIuOF+WvZcqNnWfjt4l3ixQIxsPYO5gHDl5ah8OzltvazOFMCQtDNLFBXDJ
>>>>
>>>>
>>>> > by6ZvvW61NT91t1ihMpbUa21sYdW7EHMxwS3lL8CrgJyiG+D4VsyTIsn26C2MpJF
>>>>
>>>>
>>>> > L99bvtAtGAd5T8UerZGnsQ4C80QYbS+i+dJ2heqOxCtvken9+pFAgyXCehY0gI7o
>>>>
>>>>
>>>> > uT/KZuF7k6qXcwWw+/l5TSqZ1NFklnCsWMrWUD7mL+m5ZPrqv+C1/dSobBwjddnX
>>>>
>>>>
>>>> > 2/5uqk6N29ZxrOelq8bkRnL3zLXf1AiisbkKQxbIYAYyH+nkt1hH4KJvtbn1tt+s
>>>>
>>>>
>>>> > kTTxi2JKkhzk5rwJjySqMy8+TZxvp3AEBdCDrEtmJck=
>>>>
>>>>
>>>> > -----END RSA PRIVATE KEY-----
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> > ______________________________________________________________________
>>>>
>>>>
>>>> > OpenSSL Project http://www.openssl.org
>>>>
>>>>
>>>> > User Support Mailing List openssl-users@openssl.org
>>>>
>>>>
>>>> > Automated List Manager majord...@openssl.org
>>>>
>>>>
>>>> >
>>>>
>>>>
>>>> ______________________________________________________________________
>>>>
>>>>
>>>> OpenSSL Project http://www.openssl.org
>>>>
>>>>
>>>> User Support Mailing List openssl-users@openssl.org
>>>>
>>>>
>>>> Automated List Manager majord...@openssl.org
>>>>
>>>>
>>>>
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majord...@openssl.org
>>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
