Get cipher used to password encrypt private key

StackOverflow https://stackoverflow.com/questions/16149702

Question

I have a private key used for RSA exchanges that is password protected. I know the password, so I can use the key, however, I do not know which cipher was used to do the password.

I have other keys where the cipher is named in a header in the decrypted key, as per the answer to this question. However, this key when encrypted simply starts:

-----BEGIN ENCRYPTED PRIVATE KEY-----

and when decrypted:

-----BEGIN RSA PRIVATE KEY-----

No further header.

Tools such as openssl rsa and gnutls's certtool -k decrypt the key when given the password and provide information about the public key but do not say anything about the symmetric cipher used for the password.

Presumably, these applications know what the cipher was, since they decrypt the key. Is there a way to get this information? There does not seem to be much point in keeping it secret if I have the password anyway.

Programmatic answers using the gnutls API (but not openssl) are good, but ideally I'd like to know of an existing, portable tool.

Was it helpful?

Solution

ASN.1 decoding that should give you something like this:

    0:d=0  hl=4 l=1294 cons: SEQUENCE
    4:d=1  hl=2 l=  64 cons:  SEQUENCE
    6:d=2  hl=2 l=   9 prim:   OBJECT            :PBES2
   17:d=2  hl=2 l=  51 cons:   SEQUENCE
   19:d=3  hl=2 l=  27 cons:    SEQUENCE
   21:d=4  hl=2 l=   9 prim:     OBJECT            :PBKDF2
   32:d=4  hl=2 l=  14 cons:     SEQUENCE
   34:d=5  hl=2 l=   8 prim:      OCTET STRING
   44:d=5  hl=2 l=   2 prim:      INTEGER           :0800
   48:d=3  hl=2 l=  20 cons:    SEQUENCE
   50:d=4  hl=2 l=   8 prim:     OBJECT            :des-ede3-cbc
   60:d=4  hl=2 l=   8 prim:     OCTET STRING
   70:d=1  hl=4 l=1224 prim:  OCTET STRING

ie. in this example des-ede3-cbc is being used. Here's an online / open-source ASN.1 decoder you can use:

phpseclib ASN.1 Decoder

Just copy / paste your data and hit the submit button!

You can also do openssl asn1parse -inform PEM -in file.ext -i via the CLI if you have OpenSSL installed.

OTHER TIPS

Use tool like ASN.1 viewer to open that file (most of them should handle base64-encoded data as well, however probably you'll need to base64-decoded data first). After that you'll get the (most likely) PKCS#8-wrapped key, and you'll get the cipher by looking at OIDs.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top