4

I have an openssl key file encrypted with an empty passphrase. I'm trying to remove the passphrase using this command

openssl rsa -in ca.key -out ca.key.clear

I then try to enter the empty passphrase when it asks for the current passphrase, but I get this error:

140592616367776:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters

So it seems I cannot remove a passphrase if it is less than 4 characters.

How do I remove the passphrase, ideally using openssl.

Matthew Sharp
  • 200
  • 3
  • 8
  • 2
    I might need more coffee, but is effectively an "*empty passphrase*" not the same as "*no passphrase*"? – HBruijn Jul 07 '15 at 08:01
  • Maybe first try to change it to something else, then remove it? – mhvelplund Jul 07 '15 at 08:18
  • It's not an empty passphrase! – Michael Hampton Jul 07 '15 at 14:01
  • have you tried `-passin pass:` ? or `-passin pass:""` ? – Archemar Jul 07 '15 at 14:17
  • @HBruijn: No, the file begins with: `-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,324e5e3b634f1a83` – Matthew Sharp Jul 07 '15 at 23:49
  • @Archemar: I hadn't but they seem to fail too. Trying either of your suggestions or `echo "" | openssl rsa -in ca.key -passin stdin -out ca.key.clear` gives this `140096151803552:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:458` – Matthew Sharp Jul 07 '15 at 23:51
  • @MichaelHampton: What do you mean? The only other thing it could be I guess is a single newline. I did try `echo -e "\n" | openssl rsa -in ca.key -passin stdin -out ca.key.clear` but got the same "bad password read" error as with trying empty. – Matthew Sharp Jul 07 '15 at 23:58

3 Answers3

3

I came up with a workaround using the etcd-ca tool.

mkdir .etcd-ca
mv ca.key .etcd-ca/ca.host.key
touch .etcd-ca/ca.host.crt
chmod a-w .etcd-ca/ca.host.crt
etcd-ca export --insecure ca > ca.tar
tar xf ca.tar

It's not pretty, but it worked. I still don't know how to achieve this using openssl though.

Matthew Sharp
  • 200
  • 3
  • 8
2

It's true you cannot get PEM_bytes_read_bio and PEM_do_header, which is where the legacy-PEM decrypts end up, to take a zero-length passphrase, nohow.

There is a workaround, but you may not like it:

# assumes DES3 (aka DES-EDE3) CBC as in the example
# changes and/or additional logic needed for other ciphers

# get the IV from the file header 
iv=`awk <silly -F, '/DEK-Info:/{print $2}'`
# use enc to do EVP_BytesToKey with salt=IV and just print result 
key=`openssl enc -des3 -k '' -S $iv -P |awk -F= '/^key/{print $2}'`
# get body of the file, debase64 and decrypt 
# note openssl silently drops dash-END line, another debase64 may not 
<silly sed '1,/^$/d' |openssl base64 -d |openssl enc -des3 -d -K $key -iv $iv >sillyd

# sillyd is now unencrypted DER "legacy" (PKCS#1) 
# and can be read by "openssl rsa <sillyd -inform der"
# but since we're on a roll let's do PEM too!
(echo -----BEGIN RSA PRIVATE KEY-----;openssl base64 <sillyd;\
 echo -----END RSA PRIVATE KEY-----) >sillyp

My suggestion: next time don't use an empty passphrase :-)

dave_thompson_085
  • 3,100
  • 1
  • 15
  • 14
2

Here is how I got around this problem..

  1. Add a new passphrase to the private key that was originally created without a passphrase.

    openssl rsa -des3 -in your.key -out your.encrypted.key
mv your.encrypted.key your.key

This will prompt you to enter a new passphrase.

  1. Now remove the passphrase as follows:

    openssl rsa -in your.key -out your.key_NO_PASSPHRASE.pem

  2. This will prompt you to enter the passphrase specified in Step 1. above and will then remove it from the Key.

This worked for me and Apache started without any errors. (I'm assuming that's why you needed to remove it in the first place :) )

Neil McLysaght
  • 21
  • 2