For an inhouse application I needed to add a monitoring of the login process. Usually that's pretty simple as most systems just use a form with username and password and send a POST of the values.
But not in this case. I figured that the login procedure was much more complicated:
1) Make a POST request to a URL to retrieve server tokens
2) With the received tokens make yet another POST request and retrieve the string of a public RSA key
3) Encrypt the real password with the received public key and send it with yet another POST request
So far all my steps were working until I needed to encrypt the password with the public key with openssl.
The received public key was saved in a file tmpkey.pub:
$ cat tmpkey.pub
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALdjFsLLaCgRkWaOMLrUPQgGAPM4DXHnq9bAkd1VFwdSIgNkTxY0Bcvr1PxUkNHlYwFjAx/lGEqish6yCgeLURsCAwEAAQ==
-----END PUBLIC KEY-----
I then tried to encrypt the password with this key but it failed:
$ echo "myPassword" | openssl rsautl -encrypt -pubin -inkey tmpkey.pub
unable to load Public Key
Huh? Where did I make the mistake? I came across a blog post (Fun with public keys) by Peter Williams where the author had not the same but a similar problem.
His advice, to verify the public key was a big help though:
$ openssl rsa -text -pubin < tmpkey.pub
unable to load Public Key
139783763789472:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:812:
bad base64 decode! This error message helps!
I found another article from a different blog which had some information how to debug this error. In my case, the number of characters per line exceeded 64 which is a must for openssl - d'uh!
With the command "fold" the output of a file can be cut to a certain number of lines (-w N):
$ fold -w 64 tmpkey.pub
-----BEGIN RSA PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALdjFsLLaCgRkWaOMLrUPQgGAPM4DXHn
q9bAkd1VFwdSIgNkTxY0Bcvr1PxUkNHlYwFjAx/lGEqish6yCgeLURsCAwEAAQ==
-----END RSA PUBLIC KEY-----
Nice! Now I saved this output in my tmpkey.pub and tried the validation again:
$ openssl rsa -text -pubin < tmpkey.pub
Public-Key: (512 bit)
Modulus:
00:b7:63:16:c2:cb:68:28:11:91:66:8e:30:ba:d4:
3d:08:06:00:f3:38:0d:71:e7:ab:d6:c0:91:dd:55:
17:07:52:22:03:64:4f:16:34:05:cb:eb:d4:fc:54:
90:d1:e5:63:01:63:03:1f:e5:18:4a:a2:b2:1e:b2:
0a:07:8b:51:1b
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALdjFsLLaCgRkWaOMLrUPQgGAPM4DXHn
q9bAkd1VFwdSIgNkTxY0Bcvr1PxUkNHlYwFjAx/lGEqish6yCgeLURsCAwEAAQ==
-----END PUBLIC KEY-----
Gotcha!
Now I could get back to encrypt the password with the public key:
$ echo "myPassword" | openssl rsautl -encrypt -pubin -inkey tmpkey.pub | base64
WRoZqrXGmcF5/6xTkB437nv+BCqF4XlkEhS6Gx8RIje496tMn/38WOt5QxE8EympP8NsFtVLJxJm
r1/UHkySvw==
Timothy Van Heest from wrote on Sep 14th, 2020:
The `fold` was the trick for me. This seemed to change between openssl versions since I was using a command that worked fine before with the exact same key. Thanks!
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder