# HG changeset patch # User Tomas Zeman # Date 1405691314 -7200 # Node ID 68d27bdf49c9dace0ead1c9f326dece5c29eacec # Parent 889dfa7eace0d8613bbd43e65d2e50da4d8b48c7 ssl conversions diff -r 889dfa7eace0 -r 68d27bdf49c9 ssl/conversion.txt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ssl/conversion.txt Fri Jul 18 15:48:34 2014 +0200 @@ -0,0 +1,29 @@ +http://superuser.com/questions/576506/how-to-use-ssh-rsa-public-key-to-encrypt-a-text +http://goodworkaround.com/node/17 + +OpenSSH -> OpenSSL +================== + + * Pubkey conversion: + + ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pkcs8 > /tmp/id_rsa.pub.pem + + +OpenSSL operations +================== + + * Encryption: + + openssl rsautl -encrypt -pubin -inkey /tmp/id_rsa.pub.pem > /tmp/c.txt + + * Decryption: + + openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in /tmp/c.txt + + * Signing: + + openssl dgst -sha1 -sign ~/.ssh/id_rsa file.txt > file.txt.sig + + * Verification: + + openssl dgst -sha1 -verify /tmp/id_rsa.pub.pem -signature file.txt.sig file.txt diff -r 889dfa7eace0 -r 68d27bdf49c9 ssl/conversion2.txt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ssl/conversion2.txt Fri Jul 18 15:48:34 2014 +0200 @@ -0,0 +1,72 @@ +http://www.sysmic.org/dotclear/index.php?post/2010/03/24/Convert-keys-betweens-GnuPG%2C-OpenSsh-and-OpenSSL + +OpenSSH -> OpenSSL +================== + +OpenSSH private keys are directly understable by OpenSSL: + + openssl rsa -in ~/.ssh/id_rsa -text + openssl dsa -in ~/.ssh/id_dsa -text + +So, you can directly create certification request: + + openssl req -new -key ~/.ssh/id_dsa -out mykey.csr + +OpenSSL -> OpenSSH +================== + +Private keys format is same between OpenSSL and OpenSSH, but not public key format. Nevertheless, you extract public key from private key file: + + ssh-keygen -y -f id_rsa > id_rsa.pub + +GnuPG -> OpenSSL +================ + +Gpgsm utility can exports keys and certificate in PCSC12: + + gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX + +You have -> extract Key and Certificates separatly: + + openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem + openssl pkcs12 -in secret-gpg-key.p12 -nokeys -out gpg-certs.pem + +You can now use it in OpenSSL. + +You can also do similar thing with GnuPG public keys. There will be only certificates output. + +OpenSSL -> GnuPG +================ + +Invert process: + + openssl pkcs12 -export -in gpg-certs.pem -inkey gpg-key.pem -out gpg-key.p12 + gpgsm --import gpg-key.p12 + +GnuPG -> OpenSSH +================ + +Now, chain processes: + + gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX + openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem + +We need -> protect key, else ssh refuse it. + + chmod 600 gpg-key.pem + cp gpg-key.pem ~/.ssh/id_rsa + ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub + +OpenSSH -> GnuPG +================ + +First we need to create a certificate (self-signed) for our ssh key: + + openssl req -new -x509 -key ~/.ssh/id_rsa -out ssh-cert.pem + +We can now import it in GnuPG + + openssl pkcs12 -export -in ssh-certs.pem -inkey ~/.ssh/id_rsa -out ssh-key.p12 + gpgsm --import ssh-key.p12 + +Notice you cannot import/export DSA ssh keys to/from GnuPG