Unable to load public key when encrypting data with openssl

Written by - 1 comments

Published on - Listed in Linux


For an inhouse application I needed to add a monitoring of the login process. Usually that's pretty simple as most systems just use a form with username and password and send a POST of the values. 

But not in this case. I figured that the login procedure was much more complicated:

1) Make a POST request to a URL to retrieve server tokens

2) With the received tokens make yet another POST request and retrieve the string of a public RSA key

3) Encrypt the real password with the received public key and send it with yet another POST request

So far all my steps were working until I needed to encrypt the password with the public key with openssl.
The received public key was saved in a file tmpkey.pub:

$ cat tmpkey.pub
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALdjFsLLaCgRkWaOMLrUPQgGAPM4DXHnq9bAkd1VFwdSIgNkTxY0Bcvr1PxUkNHlYwFjAx/lGEqish6yCgeLURsCAwEAAQ==
-----END PUBLIC KEY-----

I then tried to encrypt the password with this key but it failed:

$ echo "myPassword" | openssl rsautl -encrypt -pubin -inkey tmpkey.pub
unable to load Public Key

Huh? Where did I make the mistake? I came across a blog post (Fun with public keys) by Peter Williams where the author had not the same but a similar problem.
His advice, to verify the public key was a big help though:

$ openssl rsa -text -pubin < tmpkey.pub
unable to load Public Key
139783763789472:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:812:

bad base64 decode! This error message helps!

I found another article from a different blog which had some information how to debug this error. In my case, the number of characters per line exceeded 64 which is a must for openssl - d'uh!

With the command "fold" the output of a file can be cut to a certain number of lines (-w N):

$ fold -w 64 tmpkey.pub
-----BEGIN RSA PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALdjFsLLaCgRkWaOMLrUPQgGAPM4DXHn
q9bAkd1VFwdSIgNkTxY0Bcvr1PxUkNHlYwFjAx/lGEqish6yCgeLURsCAwEAAQ==
-----END RSA PUBLIC KEY-----

Nice! Now I saved this output in my tmpkey.pub and tried the validation again:

$ openssl rsa -text -pubin < tmpkey.pub
Public-Key: (512 bit)
Modulus:
    00:b7:63:16:c2:cb:68:28:11:91:66:8e:30:ba:d4:
    3d:08:06:00:f3:38:0d:71:e7:ab:d6:c0:91:dd:55:
    17:07:52:22:03:64:4f:16:34:05:cb:eb:d4:fc:54:
    90:d1:e5:63:01:63:03:1f:e5:18:4a:a2:b2:1e:b2:
    0a:07:8b:51:1b
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALdjFsLLaCgRkWaOMLrUPQgGAPM4DXHn
q9bAkd1VFwdSIgNkTxY0Bcvr1PxUkNHlYwFjAx/lGEqish6yCgeLURsCAwEAAQ==
-----END PUBLIC KEY-----

Gotcha!

Now I could get back to encrypt the password with the public key:

$ echo "myPassword" | openssl rsautl -encrypt -pubin -inkey tmpkey.pub | base64
WRoZqrXGmcF5/6xTkB437nv+BCqF4XlkEhS6Gx8RIje496tMn/38WOt5QxE8EympP8NsFtVLJxJm
r1/UHkySvw==

 


Add a comment

Show form to leave a comment

Comments (newest first)

Timothy Van Heest from wrote on Sep 14th, 2020:

The `fold` was the trick for me. This seemed to change between openssl versions since I was using a command that worked fine before with the exact same key. Thanks!