The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,534 other followers

openssl: checking out RSA private key files in .rsa and .pem format

Posted by jpluimers on 2019/03/19

While checking out an issue with the SSH server for ContinuaCI issue (see info below), I wanted to look at the files leading to the issue: .pem and .rsa files with the private key for the SSH server.

So I browsed through my series of openssl related articles to see if I already had made a script better explaining the cryptic openssl command-line parameters. I didn’t have it yet, but it turned out to be really simple:

C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.rsa
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.rsa -text
Private-Key: (1024 bit)
modulus:
    ..:..:..:.....
publicExponent: 35 (0x23)
privateExponent:
    ..:..:..:.....
prime1:
    ..:..:..:.....
prime2:
    ..:..:..:.....
exponent1:
    ..:..:..:.....
exponent2:
    ..:..:..:.....
coefficient:
    ..:..:..:.....
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.pem
Enter pass phrase for server_keypair.pem:
unable to load Private Key
2675996:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
2675996:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
2675996:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
2675996:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:
C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.pem -passin pass:password
unable to load Private Key
2675996:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
2675996:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
2675996:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
2675996:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:

The command-lines use the [WayBack]rsa tool with:

  • the -in parameter
  • (for the first file) the -text parameter to dump it into human readable form
  • (for the second file) the -passin parameter with a [WayBackpass phrase argument pass:password.

The server_keypair.pem file (having the header -----BEGIN ENCRYPTED PRIVATE KEY----- and footer -----END ENCRYPTED PRIVATE KEY-----) was a password protected RSA private key where somehow ContinuaCI had the wrong password for.

I’m not sure it’s a good idea that the server_keypair.pem file has not password at all.

Related posts:

Anyway: this was the issue: [WayBack] Getting this during upgrade: [Setup Continua CI v1.8.1.598] Failed to start the Continua SSH service : Service is not in a startable state. Service status is: Stopped [OK] … – Jeroen Wiert Pluimers – Google+.

Dialog during setup:

---------------------------
Setup Continua CI v1.8.1.598
---------------------------
Failed to start the Continua SSH service : Service is not in a startable state. Service status is: Stopped
---------------------------
OK
---------------------------

Dialog when starting the service by hand:

-------------------------
Services
-------------------------
Windows could not start the Continua CI SSH Server service on Local Computer.
Error 5: Access is denied.
-------------------------
OK
-------------------------

The second one put me on the wrong foot, thinking it was a security issue between the ContinuaCISSHD service (that runs as LocalService) and the file + directory:

C:\Windows\system32>xcacls C:\ProgramData\VSoft\ContinuaCI\SSHD\server_keypair.pem
C:\ProgramData\VSoft\ContinuaCI\SSHD\server_keypair.pem NT AUTHORITY\SYSTEM:F
                                                        BUILTIN\Administrators:F
                                                        BUILTIN\Users:R

C:\Windows\system32>xcacls C:\ProgramData\VSoft\ContinuaCI\SSHD
C:\ProgramData\VSoft\ContinuaCI\SSHD NT AUTHORITY\SYSTEM:(OI)(CI)F
                                     BUILTIN\Administrators:(OI)(CI)F
                                     CREATOR OWNER:(OI)(CI)(IO)F
                                     BUILTIN\Users:(OI)(CI)R
                                     BUILTIN\Users:(CI)(special access:)
                                                       FILE_WRITE_DATA
                                                       FILE_APPEND_DATA
                                                       FILE_WRITE_EA
                                                       FILE_WRITE_ATTRIBUTES

What I didn’t do right, is have a closer look at the stack traces and exception messages from the Windows event log (via eventvwr.exe or PowerShell Get-EventLog of which I bolded the most important bits:

Oldest:

Error loading private key : "C:\ProgramData\VSoft\ContinuaCI\SSHD\server_keypair.pem"
"System.Security.Cryptography.CryptographicException: Invalid password or bad data.
   at Rebex.Security.Cryptography.Pkcs.PrivateKeyInfo.KA(Byte[] C, Int32 R, Int32 Q)
   at Rebex.Security.Cryptography.Pkcs.RO.LA(String C)
   at Rebex.Security.Cryptography.Pkcs.PrivateKeyInfo.Load(Stream input, String password)
   at Rebex.Net.SshPrivateKey.Z(Stream C, String R)
   at Rebex.Net.SshPrivateKey..ctor(String path, String password)
   at Continua.SSHD.SSHDService.Start()"

Middle:

The service did not start successfully
System.Security.Cryptography.CryptographicException: Invalid password or bad data.
   at Rebex.Security.Cryptography.Pkcs.PrivateKeyInfo.KA(Byte[] C, Int32 R, Int32 Q)
   at Rebex.Security.Cryptography.Pkcs.RO.LA(String C)
   at Rebex.Security.Cryptography.Pkcs.PrivateKeyInfo.Load(Stream input, String password)
   at Rebex.Net.SshPrivateKey.Z(Stream C, String R)
   at Rebex.Net.SshPrivateKey..ctor(String path, String password)
   at Continua.SSHD.SSHDService.Start()
   at Topshelf.ServiceConfiguratorExtensions.<>c__DisplayClass7`1.b__6(T service, HostControl control)
   at Topshelf.Builders.DelegateServiceBuilder`1.DelegateServiceHandle.Start(HostControl hostControl)
   at Topshelf.Runtime.Windows.WindowsServiceHost.OnStart(String[] args)

Newest:

The description for Event ID 0 from source ContinuaCISSHD cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: 

Service cannot be started. System.Security.Cryptography.CryptographicException: Invalid password or bad data.
   at Rebex.Security.Cryptography.Pkcs.PrivateKeyInfo.KA(Byte[] C, Int32 R, Int32 Q)
   at Rebex.Security.Cryptography.Pkcs.RO.LA(String C)
   at Rebex.Security.Cryptography.Pkcs.PrivateKeyInfo.Load(Stream input, String password)
   at Rebex.Net.SshPrivateKey.Z(Stream C, String R)
   at Rebex.Net.SshPrivateKey..ctor(String path, String password)
   at Continua.SSHD.SSHDService.Start()
   at Topshelf.ServiceConfiguratorExtensions.<>c__DisplayClass7`1.b__6(T service, HostControl control)
   at Topshelf.Builders.DelegateServiceBuilder`1.DelegateServiceHandle.Start(HostControl hostControl)
   at Topshelf.Runtime.Windows.WindowsServiceHost.OnStart(String[] args)
   at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

The specified resource type cannot be found in the image file

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

 
%d bloggers like this: