[9fans] Encoding private RSA key to PEM with p9p

[9fans] Encoding private RSA key to PEM with p9p

[Jean-André Santoni]

[-- Attachment #1: Type: text/plain, Size: 623 bytes --]

Hi, I'm using golang to code a 9p filesystem on linux. I wish to use srv +
factotum + 9pfuse from p9p as client to test the fs.
The server uses TLS with client authentication. Golang tls lib need keys in
PEM format (I think). On the client side, factotum need the keys in plan9
format.

I have no problem converting the public keys to PEM, using rsa2x509 |
pemencode. However, no man explains how to encode a private key to PEM.

I tried to do the opposite : generating keys as PEM using linux's openssl,
then convert them to plan9 format using pemdecode without success.

Any idea?

-- 
Jean-André Santoni

[-- Attachment #2: Type: text/html, Size: 757 bytes --]

Re: [9fans] Encoding private RSA key to PEM with p9p

[David du Colombier]

> I tried to do the opposite : generating keys as PEM using linux's
> openssl, then convert them to plan9 format using pemdecode without
> success.

You have to convert the key from PEM to DER with OpenSSL,
then convert it to the Factotum format using auth/asn12rsa:

openssl rsa -in key.pem -inform PEM -out key.der -outform DER
auth/asn12rsa -t 'proto=rsa service=tls owner=*' key.der >key

--
David du Colombier

Re: [9fans] Encoding private RSA key to PEM with p9p

[Jean-André Santoni]

[-- Attachment #1: Type: text/plain, Size: 1035 bytes --]

Thanks, I managed to convert the key this way and added it to factotum.

I think I also need to add the server's CA's certificate, so factotum can
check the server identity. Right?

I converted the CA crt to DER like this:
openssl x509 -in ca.crt.pem -inform PEM -out ca.crt.der -outform DER

Not I'm trying to convert this DER to the factotum format :
asn12rsa -t 'proto=rsa service=tls owner=*' ca.crt.der > ca.crt.plan9

but asn12rsa complains :
asn12rsa: couldn't parse asn1 key


2013/12/17 David du Colombier <0intro@gmail.com>

> > I tried to do the opposite : generating keys as PEM using linux's
> > openssl, then convert them to plan9 format using pemdecode without
> > success.
>
> You have to convert the key from PEM to DER with OpenSSL,
> then convert it to the Factotum format using auth/asn12rsa:
>
> openssl rsa -in key.pem -inform PEM -out key.der -outform DER
> auth/asn12rsa -t 'proto=rsa service=tls owner=*' key.der >key
>
> --
> David du Colombier
>
>


-- 
Jean-André Santoni

[-- Attachment #2: Type: text/html, Size: 1647 bytes --]

Re: [9fans] Encoding private RSA key to PEM with p9p

[David du Colombier]

> I think I also need to add the server's CA's certificate, so factotum
> can check the server identity. Right?

Factotum is meant to store the private keys. The CA certificate
would probably have its place in /sys/lib/tls (in PEM format).
However, this is not needed, since the current X.509 implementation
in Plan 9 doesn't verify certificate chain.

Also, TLS client authentication isn't currently supported in Plan 9,
but you could try Christian Kellermann's implementation.

http://plan9.bell-labs.com/sources/patch/maybe/tls-client-auth/

hget http://www.9legacy.org/9legacy/patch/tls-client-auth.diff | ape/patch -p0

--
David du Colombier

Re: [9fans] Encoding private RSA key to PEM with p9p

[Jean-André Santoni]

[-- Attachment #1: Type: text/plain, Size: 1739 bytes --]

Ok thanks for the help.

I'm trying to use it with 9vx + lastest 9front rootfs that already have
this patch applied.

I put my client private key into factotum like this:
% cat client.key.plan9 >> /mnt/factotum/ctl

Then I'm trying to dial with tlsclient:
% tlsclient -D -c client.crt.pem -t ca.crt.pem tcp!127.0.0.1!5640

As you told me, if there is no certificate chain verification, I may better
provide the server certificate instead of the ca's:
% tlsclient -D -c client.crt.pem -t server.crt.pem tcp!127.0.0.1!5640

Is it the right thing to do? I read the man page but I don't get what
tlsclient does that allow me to finally mount the fs.

For now, I get the error message "could not negociate acceptable security
parameters".

I tried disabling client authentication on the server side. Same error
message.

Maybe it is because I use the cipher
suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA which might not be supported...


2013/12/19 David du Colombier <0intro@gmail.com>

> > I think I also need to add the server's CA's certificate, so factotum
> > can check the server identity. Right?
>
> Factotum is meant to store the private keys. The CA certificate
> would probably have its place in /sys/lib/tls (in PEM format).
> However, this is not needed, since the current X.509 implementation
> in Plan 9 doesn't verify certificate chain.
>
> Also, TLS client authentication isn't currently supported in Plan 9,
> but you could try Christian Kellermann's implementation.
>
> http://plan9.bell-labs.com/sources/patch/maybe/tls-client-auth/
>
> hget http://www.9legacy.org/9legacy/patch/tls-client-auth.diff |
> ape/patch -p0
>
> --
> David du Colombier
>
>


-- 
Jean-André Santoni

[-- Attachment #2: Type: text/html, Size: 2625 bytes --]

Re: [9fans] Encoding private RSA key to PEM with p9p

[David du Colombier]

> Maybe it is because I use the cipher
> suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA which might not be
> supported...

I think your use of tlsclient is correct. However, the ECDHE key
agreement protocol is not currently supported by Plan 9's libsec.

Could you enable the TLS_RSA_WITH_AES_256_CBC_SHA cipher on your
server side? This cipher is supported on Plan 9.

--
David du Colombier