将 pem 密钥转换为 ssh-rsa 格式

发布于 2024-07-25 16:57:32 字数 843 浏览 8 评论 0原文

我有一个 der 格式的证书,通过此命令我可以生成一个公钥:

openssl x509 -inform der -in ejbcacert.cer -noout -pubkey > pub1key.pub

其结果是:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vbqajDw4o6gJy8UtmIbkcpnk
O3Kwc4qsEnSZp/TR+fQi62F79RHWmwKOtFmwteURgLbj7D/WGuNLGOfa/2vse3G2
eHnHl5CB8ruRX9fBl/KgwCVr2JaEuUm66bBQeP5XeBotdR4cvX38uPYivCDdPjJ1
QWPdspTBKcxeFbccDwIDAQAB
-----END PUBLIC KEY-----

如何获得这样的公钥? 从证书或 来自这个公钥?

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC7vbqajDw4o6gJy8UtmIbkcpnkO3Kwc4qsEnSZp/TR+fQi62F79RHWmwKOtFmwteURgLbj7D/WGuNLGOfa/2vse3G2eHnHl5CB8ruRX9fBl/KgwCVr2JaEuUm66bBQeP5XeBotdR4cvX38uPYivCDdPjJ1QWPdspTBKcxeFbccDw==

这是通过以下命令获得的:

ssh-keygen -y -f private_key1.pem > public_key1.pub

I have a certificate in der format, from it with this command I generate a public key:

openssl x509 -inform der -in ejbcacert.cer -noout -pubkey > pub1key.pub

Which results in this:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vbqajDw4o6gJy8UtmIbkcpnk
O3Kwc4qsEnSZp/TR+fQi62F79RHWmwKOtFmwteURgLbj7D/WGuNLGOfa/2vse3G2
eHnHl5CB8ruRX9fBl/KgwCVr2JaEuUm66bBQeP5XeBotdR4cvX38uPYivCDdPjJ1
QWPdspTBKcxeFbccDwIDAQAB
-----END PUBLIC KEY-----

How can I obtain a public key like this? Either from certificate or
from this public key?

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC7vbqajDw4o6gJy8UtmIbkcpnkO3Kwc4qsEnSZp/TR+fQi62F79RHWmwKOtFmwteURgLbj7D/WGuNLGOfa/2vse3G2eHnHl5CB8ruRX9fBl/KgwCVr2JaEuUm66bBQeP5XeBotdR4cvX38uPYivCDdPjJ1QWPdspTBKcxeFbccDw==

This was obtained with this command:

ssh-keygen -y -f private_key1.pem > public_key1.pub

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(13

终陌 2024-08-01 16:57:32

不需要编译东西。 您可以对 ssh-keygen 执行相同操作:

ssh-keygen -f pub1key.pub -i

将从 pub1key.pub 读取 openssl 格式的公钥,并以 OpenSSH 格式输出。

注意:在某些情况下,您需要指定输入格式:

ssh-keygen -f pub1key.pub -i -m PKCS8

来自 ssh-keygen 文档(来自 man ssh-keygen):

-m key_format 指定 -i(导入)或 -e(导出)转换选项的密钥格式。 支持的密钥格式为:“RFC4716”(RFC 4716/SSH2 公钥或私钥)、“PKCS8”(PEM PKCS8 公钥)或“PEM”(PEM 公钥)。 默认转换格式为“RFC4716”。

No need to compile stuff. You can do the same with ssh-keygen:

ssh-keygen -f pub1key.pub -i

will read the public key in openssl format from pub1key.pub and output it in OpenSSH format.

Note: In some cases you will need to specify the input format:

ssh-keygen -f pub1key.pub -i -m PKCS8

From the ssh-keygen docs (From man ssh-keygen):

-m key_format Specify a key format for the -i (import) or -e (export) conversion options. The supported key formats are: “RFC4716” (RFC 4716/SSH2 public or private key), “PKCS8” (PEM PKCS8 public key) or “PEM” (PEM public key). The default conversion format is “RFC4716”.

你穿错了嫁妆 2024-08-01 16:57:32

不需要脚本或其他“技巧”:opensslssh-keygen 就足够了。 我假设密钥没有密码(这很糟糕)。

生成 RSA 对

以下所有方法都会以相同的格式给出 RSA 密钥对

  1. 使用 openssl (man genrsa)

    openssl genrsa -out dummy-genrsa.pem 2048 
      

    在 OpenSSL v1.0.1 中 genrsa 已被 genpkey 取代,因此这是执行此操作的新方法(man genpkey):

    <前><代码>openssl genpkey -算法 RSA -out dummy-genpkey.pem -pkeyopt rsa_keygen_bits:2048

  2. 使用 ssh-keygen

    ssh-keygen -t rsa -b 2048 -f dummy-ssh-keygen.pem -N '' -C “测试密钥” 
      

将 DER 转换为 PEM

如果您有 DER 格式的 RSA 密钥对,您可能需要将其转换为 PEM 以允许以下格式转换:

生成:

openssl genpkey -algorithm RSA -out genpkey-dummy.cer -outform DER -pkeyopt rsa_keygen_bits:2048

转换:

openssl rsa -inform DER -outform PEM -in genpkey-dummy.cer -out dummy-der2pem.pem

提取公钥来自 PEM 格式的 RSA 对

  1. PEM 格式:

    openssl rsa -in dummy-xxx.pem -pubout 
      
  2. OpenSSH v2 格式 参见

    ssh-keygen -y -f dummy-xxx.pem 
      

Notes

操作系统和软件版本:

[user@test1 ~]# cat /etc/redhat-release ; uname -a ; openssl version
CentOS release 6.5 (Final)
Linux test1.example.local 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
OpenSSL 1.0.1e-fips 11 Feb 2013

参考文献:

No need for scripts or other 'tricks': openssl and ssh-keygen are enough. I'm assuming no password for the keys (which is bad).

Generate an RSA pair

All the following methods give an RSA key pair in the same format

  1. With openssl (man genrsa)

    openssl genrsa -out dummy-genrsa.pem 2048
    

    In OpenSSL v1.0.1 genrsa is superseded by genpkey so this is the new way to do it (man genpkey):

    openssl genpkey -algorithm RSA -out dummy-genpkey.pem -pkeyopt rsa_keygen_bits:2048
    
  2. With ssh-keygen

    ssh-keygen -t rsa -b 2048 -f dummy-ssh-keygen.pem -N '' -C "Test Key"
    

Converting DER to PEM

If you have an RSA key pair in DER format, you may want to convert it to PEM to allow the format conversion below:

Generation:

openssl genpkey -algorithm RSA -out genpkey-dummy.cer -outform DER -pkeyopt rsa_keygen_bits:2048

Conversion:

openssl rsa -inform DER -outform PEM -in genpkey-dummy.cer -out dummy-der2pem.pem

Extract the public key from the PEM formatted RSA pair

  1. in PEM format:

    openssl rsa -in dummy-xxx.pem -pubout
    
  2. in OpenSSH v2 format see:

    ssh-keygen -y -f dummy-xxx.pem
    

Notes

OS and software version:

[user@test1 ~]# cat /etc/redhat-release ; uname -a ; openssl version
CentOS release 6.5 (Final)
Linux test1.example.local 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
OpenSSL 1.0.1e-fips 11 Feb 2013

References:

意中人 2024-08-01 16:57:32

为了回答我自己的问题,在 openssl 邮件列表上发帖后得到了这个:

Here is C code to conversion from an OpenSSL public key to an OpenSSH public key。
您可以从此链接获取代码并自行编译:

static unsigned char pSshHeader[11] = { 0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2D, 0x72, 0x73, 0x61};

static int SshEncodeBuffer(unsigned char *pEncoding, int bufferLen, unsigned char* pBuffer)
{
   int adjustedLen = bufferLen, index;
   if (*pBuffer & 0x80)
   {
      adjustedLen++;
      pEncoding[4] = 0;
      index = 5;
   }
   else
   {
      index = 4;
   }
   pEncoding[0] = (unsigned char) (adjustedLen >> 24);
   pEncoding[1] = (unsigned char) (adjustedLen >> 16);
   pEncoding[2] = (unsigned char) (adjustedLen >>  8);
   pEncoding[3] = (unsigned char) (adjustedLen      );
   memcpy(&pEncoding[index], pBuffer, bufferLen);
   return index + bufferLen;
}

int main(int argc, char**  argv)
{
   int iRet = 0;
   int nLen = 0, eLen = 0;
   int encodingLength = 0;
   int index = 0;
   unsigned char *nBytes = NULL, *eBytes = NULL;
   unsigned char* pEncoding = NULL;
   FILE* pFile = NULL;
   EVP_PKEY *pPubKey = NULL;
   RSA* pRsa = NULL;
   BIO *bio, *b64;

   ERR_load_crypto_strings(); 
   OpenSSL_add_all_algorithms();

   if (argc != 3)
   {
      printf("usage: %s public_key_file_name ssh_key_description\n", argv[0]);
      iRet = 1;
      goto error;
   }

   pFile = fopen(argv[1], "rt");
   if (!pFile)
   {
      printf("Failed to open the given file\n");
      iRet = 2;
      goto error;
   }

   pPubKey = PEM_read_PUBKEY(pFile, NULL, NULL, NULL);
   if (!pPubKey)
   {
      printf("Unable to decode public key from the given file: %s\n", ERR_error_string(ERR_get_error(), NULL));
      iRet = 3;
      goto error;
   }

   if (EVP_PKEY_type(pPubKey->type) != EVP_PKEY_RSA)
   {
      printf("Only RSA public keys are currently supported\n");
      iRet = 4;
      goto error;
   }

   pRsa = EVP_PKEY_get1_RSA(pPubKey);
   if (!pRsa)
   {
      printf("Failed to get RSA public key : %s\n", ERR_error_string(ERR_get_error(), NULL));
      iRet = 5;
      goto error;
   }

   // reading the modulus
   nLen = BN_num_bytes(pRsa->n);
   nBytes = (unsigned char*) malloc(nLen);
   BN_bn2bin(pRsa->n, nBytes);

   // reading the public exponent
   eLen = BN_num_bytes(pRsa->e);
   eBytes = (unsigned char*) malloc(eLen);
   BN_bn2bin(pRsa->e, eBytes);

   encodingLength = 11 + 4 + eLen + 4 + nLen;
   // correct depending on the MSB of e and N
   if (eBytes[0] & 0x80)
      encodingLength++;
   if (nBytes[0] & 0x80)
      encodingLength++;

   pEncoding = (unsigned char*) malloc(encodingLength);
   memcpy(pEncoding, pSshHeader, 11);

   index = SshEncodeBuffer(&pEncoding[11], eLen, eBytes);
   index = SshEncodeBuffer(&pEncoding[11 + index], nLen, nBytes);

   b64 = BIO_new(BIO_f_base64());
   BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
   bio = BIO_new_fp(stdout, BIO_NOCLOSE);
   BIO_printf(bio, "ssh-rsa ");
   bio = BIO_push(b64, bio);
   BIO_write(bio, pEncoding, encodingLength);
   BIO_flush(bio);
   bio = BIO_pop(b64);
   BIO_printf(bio, " %s\n", argv[2]);
   BIO_flush(bio);
   BIO_free_all(bio);
   BIO_free(b64);

error:
   if (pFile)
      fclose(pFile);
   if (pRsa)
      RSA_free(pRsa);
   if (pPubKey)
      EVP_PKEY_free(pPubKey);
   if (nBytes)
      free(nBytes);
   if (eBytes)
      free(eBytes);
   if (pEncoding)
      free(pEncoding);

   EVP_cleanup();
   ERR_free_strings();
   return iRet;
}

To answer my own question, after posting on openssl mailing list got this:

Here is C code to convert from an OpenSSL public key to an OpenSSH public key.
You can grab the code from this link and compile it yourself:

static unsigned char pSshHeader[11] = { 0x00, 0x00, 0x00, 0x07, 0x73, 0x73, 0x68, 0x2D, 0x72, 0x73, 0x61};

static int SshEncodeBuffer(unsigned char *pEncoding, int bufferLen, unsigned char* pBuffer)
{
   int adjustedLen = bufferLen, index;
   if (*pBuffer & 0x80)
   {
      adjustedLen++;
      pEncoding[4] = 0;
      index = 5;
   }
   else
   {
      index = 4;
   }
   pEncoding[0] = (unsigned char) (adjustedLen >> 24);
   pEncoding[1] = (unsigned char) (adjustedLen >> 16);
   pEncoding[2] = (unsigned char) (adjustedLen >>  8);
   pEncoding[3] = (unsigned char) (adjustedLen      );
   memcpy(&pEncoding[index], pBuffer, bufferLen);
   return index + bufferLen;
}

int main(int argc, char**  argv)
{
   int iRet = 0;
   int nLen = 0, eLen = 0;
   int encodingLength = 0;
   int index = 0;
   unsigned char *nBytes = NULL, *eBytes = NULL;
   unsigned char* pEncoding = NULL;
   FILE* pFile = NULL;
   EVP_PKEY *pPubKey = NULL;
   RSA* pRsa = NULL;
   BIO *bio, *b64;

   ERR_load_crypto_strings(); 
   OpenSSL_add_all_algorithms();

   if (argc != 3)
   {
      printf("usage: %s public_key_file_name ssh_key_description\n", argv[0]);
      iRet = 1;
      goto error;
   }

   pFile = fopen(argv[1], "rt");
   if (!pFile)
   {
      printf("Failed to open the given file\n");
      iRet = 2;
      goto error;
   }

   pPubKey = PEM_read_PUBKEY(pFile, NULL, NULL, NULL);
   if (!pPubKey)
   {
      printf("Unable to decode public key from the given file: %s\n", ERR_error_string(ERR_get_error(), NULL));
      iRet = 3;
      goto error;
   }

   if (EVP_PKEY_type(pPubKey->type) != EVP_PKEY_RSA)
   {
      printf("Only RSA public keys are currently supported\n");
      iRet = 4;
      goto error;
   }

   pRsa = EVP_PKEY_get1_RSA(pPubKey);
   if (!pRsa)
   {
      printf("Failed to get RSA public key : %s\n", ERR_error_string(ERR_get_error(), NULL));
      iRet = 5;
      goto error;
   }

   // reading the modulus
   nLen = BN_num_bytes(pRsa->n);
   nBytes = (unsigned char*) malloc(nLen);
   BN_bn2bin(pRsa->n, nBytes);

   // reading the public exponent
   eLen = BN_num_bytes(pRsa->e);
   eBytes = (unsigned char*) malloc(eLen);
   BN_bn2bin(pRsa->e, eBytes);

   encodingLength = 11 + 4 + eLen + 4 + nLen;
   // correct depending on the MSB of e and N
   if (eBytes[0] & 0x80)
      encodingLength++;
   if (nBytes[0] & 0x80)
      encodingLength++;

   pEncoding = (unsigned char*) malloc(encodingLength);
   memcpy(pEncoding, pSshHeader, 11);

   index = SshEncodeBuffer(&pEncoding[11], eLen, eBytes);
   index = SshEncodeBuffer(&pEncoding[11 + index], nLen, nBytes);

   b64 = BIO_new(BIO_f_base64());
   BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
   bio = BIO_new_fp(stdout, BIO_NOCLOSE);
   BIO_printf(bio, "ssh-rsa ");
   bio = BIO_push(b64, bio);
   BIO_write(bio, pEncoding, encodingLength);
   BIO_flush(bio);
   bio = BIO_pop(b64);
   BIO_printf(bio, " %s\n", argv[2]);
   BIO_flush(bio);
   BIO_free_all(bio);
   BIO_free(b64);

error:
   if (pFile)
      fclose(pFile);
   if (pRsa)
      RSA_free(pRsa);
   if (pPubKey)
      EVP_PKEY_free(pPubKey);
   if (nBytes)
      free(nBytes);
   if (eBytes)
      free(eBytes);
   if (pEncoding)
      free(pEncoding);

   EVP_cleanup();
   ERR_free_strings();
   return iRet;
}
紫罗兰の梦幻 2024-08-01 16:57:32
ssh-keygen -i -m PKCS8 -f public-key.pem
ssh-keygen -i -m PKCS8 -f public-key.pem
棒棒糖 2024-08-01 16:57:32
ssh-keygen -f private.pem -y > public.pub
ssh-keygen -f private.pem -y > public.pub
蝶舞 2024-08-01 16:57:32

以下脚本将获取 Base64 编码的 DER 格式的 ci.jenkins-ci.org 公钥证书,并将其转换为 OpenSSH 公钥文件。 此代码假设使用 2048 位 RSA 密钥,并从 Ian Boyd 的 答案。 我在这篇文章的评论中详细解释了它的工作原理 在詹金斯维基百科中。

echo -n "ssh-rsa " > jenkins.pub
curl -sfI https://ci.jenkins-ci.org/ | grep -i X-Instance-Identity | tr -d \\r | cut -d\  -f2 | base64 -d | dd bs=1 skip=32 count=257 status=none | xxd -p -c257 | sed s/^/00000007\ 7373682d727361\ 00000003\ 010001\ 00000101\ / | xxd -p -r | base64 -w0 >> jenkins.pub
echo >> jenkins.pub

The following script would obtain the ci.jenkins-ci.org public key certificate in base64-encoded DER format and convert it to an OpenSSH public key file. This code assumes that a 2048-bit RSA key is used and draws a lot from this Ian Boyd's answer. I've explained a bit more how it works in comments to this article in Jenkins wiki.

echo -n "ssh-rsa " > jenkins.pub
curl -sfI https://ci.jenkins-ci.org/ | grep -i X-Instance-Identity | tr -d \\r | cut -d\  -f2 | base64 -d | dd bs=1 skip=32 count=257 status=none | xxd -p -c257 | sed s/^/00000007\ 7373682d727361\ 00000003\ 010001\ 00000101\ / | xxd -p -r | base64 -w0 >> jenkins.pub
echo >> jenkins.pub
柳絮泡泡 2024-08-01 16:57:32

我做了

ssh-keygen -i -f $sshkeysfile >>> 授权密钥

信用在此处

I did with

ssh-keygen -i -f $sshkeysfile >> authorized_keys

Credit goes here

如梦亦如幻 2024-08-01 16:57:32

FWIW,此 BASH 脚本将采用 PEM 或 DER 格式的 X.509 证书或 OpenSSL 公钥文件(也是 PEM 格式)作为第一个参数,并释放 OpenSSH RSA 公钥。 这扩展了上面 @mkalkov 的答案。 要求是 catgreptrddxxdsedxargs文件uuidgenbase64openssl (1.0+),当然还有 bash。 除了 openssl(包含 base64)之外的所有内容都几乎可以保证成为任何现代 Linux 系统上基本安装的一部分,除了 xxd(其中Fedora 显示在 vim-common 包中)。 如果有人想清理它并使其变得更好,请注意讲师。

#!/bin/bash
#
# Extract a valid SSH format public key from an X509 public certificate.
#

# Variables:
pubFile=$1
fileType="no"
pkEightTypeFile="$pubFile"
tmpFile="/tmp/`uuidgen`-pkEightTypeFile.pk8"

# See if a file was passed:
[ ! -f "$pubFile" ] && echo "Error, bad or no input file $pubFile." && exit 1

# If it is a PEM format X.509 public cert, set $fileType appropriately:
pemCertType="X$(file $pubFile | grep 'PEM certificate')"
[ "$pemCertType" != "X" ] && fileType="PEM"

# If it is an OpenSSL PEM-format PKCS#8-style public key, set $fileType appropriately:
pkEightType="X$(grep -e '-BEGIN PUBLIC KEY-' $pubFile)"
[ "$pkEightType" != "X" ] && fileType="PKCS"

# If this is a file we can't recognise, try to decode a (binary) DER-format X.509 cert:
if [ "$fileType" = "no" ]; then
        openssl x509 -in $pubFile -inform DER -noout
        derResult=$(echo $?)
        [ "$derResult" = "0" ] && fileType="DER"
fi

# Exit if not detected as a file we can use:
[ "$fileType" = "no" ] && echo "Error, input file not of type X.509 public certificate or OpenSSL PKCS#8-style public key (not encrypted)." && exit 1

# Convert the X.509 public cert to an OpenSSL PEM-format PKCS#8-style public key:
if [ "$fileType" = "PEM" -o "$fileType" = "DER" ]; then
        openssl x509 -in $pubFile -inform $fileType -noout -pubkey > $tmpFile
        pkEightTypeFile="$tmpFile"
fi

# Build the string:
# Front matter:
frontString="$(echo -en 'ssh-rsa ')"

# Encoded modulus and exponent, with appropriate pointers:
encodedModulus="$(cat $pkEightTypeFile | grep -v -e "----" | tr -d '\n' | base64 -d | dd bs=1 skip=32 count=257 status=none | xxd -p -c257 | sed s/^/00000007\ 7373682d727361\ 00000003\ 010001\ 00000101\ / | xxd -p -r | base64 -w0 )"

# Add a comment string based on the filename, just to be nice:
commentString=" $(echo $pubFile | xargs basename | sed -e 's/\.crt\|\.cer\|\.pem\|\.pk8\|\.der//')"

# Give the user a string:
echo $frontString $encodedModulus $commentString

# cleanup:
rm -f $tmpFile

FWIW, this BASH script will take a PEM- or DER-format X.509 certificate or OpenSSL public key file (also PEM format) as the first argument and disgorge an OpenSSH RSA public key. This expands upon @mkalkov's answer above. Requirements are cat, grep, tr, dd, xxd, sed, xargs, file, uuidgen, base64, openssl (1.0+), and of course bash. All except openssl (contains base64) are pretty much guaranteed to be part of the base install on any modern Linux system, except maybe xxd (which Fedora shows in the vim-common package). If anyone wants to clean it up and make it nicer, caveat lector.

#!/bin/bash
#
# Extract a valid SSH format public key from an X509 public certificate.
#

# Variables:
pubFile=$1
fileType="no"
pkEightTypeFile="$pubFile"
tmpFile="/tmp/`uuidgen`-pkEightTypeFile.pk8"

# See if a file was passed:
[ ! -f "$pubFile" ] && echo "Error, bad or no input file $pubFile." && exit 1

# If it is a PEM format X.509 public cert, set $fileType appropriately:
pemCertType="X$(file $pubFile | grep 'PEM certificate')"
[ "$pemCertType" != "X" ] && fileType="PEM"

# If it is an OpenSSL PEM-format PKCS#8-style public key, set $fileType appropriately:
pkEightType="X$(grep -e '-BEGIN PUBLIC KEY-' $pubFile)"
[ "$pkEightType" != "X" ] && fileType="PKCS"

# If this is a file we can't recognise, try to decode a (binary) DER-format X.509 cert:
if [ "$fileType" = "no" ]; then
        openssl x509 -in $pubFile -inform DER -noout
        derResult=$(echo $?)
        [ "$derResult" = "0" ] && fileType="DER"
fi

# Exit if not detected as a file we can use:
[ "$fileType" = "no" ] && echo "Error, input file not of type X.509 public certificate or OpenSSL PKCS#8-style public key (not encrypted)." && exit 1

# Convert the X.509 public cert to an OpenSSL PEM-format PKCS#8-style public key:
if [ "$fileType" = "PEM" -o "$fileType" = "DER" ]; then
        openssl x509 -in $pubFile -inform $fileType -noout -pubkey > $tmpFile
        pkEightTypeFile="$tmpFile"
fi

# Build the string:
# Front matter:
frontString="$(echo -en 'ssh-rsa ')"

# Encoded modulus and exponent, with appropriate pointers:
encodedModulus="$(cat $pkEightTypeFile | grep -v -e "----" | tr -d '\n' | base64 -d | dd bs=1 skip=32 count=257 status=none | xxd -p -c257 | sed s/^/00000007\ 7373682d727361\ 00000003\ 010001\ 00000101\ / | xxd -p -r | base64 -w0 )"

# Add a comment string based on the filename, just to be nice:
commentString=" $(echo $pubFile | xargs basename | sed -e 's/\.crt\|\.cer\|\.pem\|\.pk8\|\.der//')"

# Give the user a string:
echo $frontString $encodedModulus $commentString

# cleanup:
rm -f $tmpFile
羁客 2024-08-01 16:57:32

这对我有用,因为我只能访问公钥:

  1. 将 PEM 公钥转换为 PKCS8 兼容的公钥
    openssl x509 -pubkey -noout -in pubcertkey.pem > pubcertkey.pub
  1. 将 PKCS8 公钥转换为 ssh-rsa 密钥
    ssh-keygen -i -mPKCS8 -f pubcertkey.pub > pubcertkey-ssh-rsa.pub

This is what worked for me, since i only had access to the Public Key:

  1. Convert the PEM public key to a PKCS8 compatible Public Key
    openssl x509 -pubkey -noout -in pubcertkey.pem > pubcertkey.pub
  1. Convert the PKCS8 Public Key to a ssh-rsa key
    ssh-keygen -i -mPKCS8 -f pubcertkey.pub > pubcertkey-ssh-rsa.pub

请注意,即使是当前的 Win32-OpenSSH 版本似乎也存在阻止此转换发生的错误,如 此专用 GitHub 问题页面

可以通过以下行为确认问题:

  • 命令的输出为空(但未打印错误):
    空白输出
  • 在 Windows 事件查看器的“Windows 日志/应用程序”日志下可以找到错误:“应用程序”日志中的错误

唯一的替代方案似乎不使用 Win32-OpenSSH 来执行此特定任务。

Please be aware that even current Win32-OpenSSH builds seem to have a bug preventing this conversion from happening, as referenced here on this dedicated GitHub issue page.

Issue can be confirmed with this behaviour :

  • Output from the command is blank (but no error printed) :
    Blank output
  • An error can be found in Windows event viewer under the "Windows Logs/Applications" journal : Error in "Applications" journal

Only alternative seems to not use Win32-OpenSSH for this specific task.

べ繥欢鉨o。 2024-08-01 16:57:32

针对 Oracle 云实例公钥请求进行测试:

私钥生成(带密码):

openssl genrsa -des3 -out private.pem 4096

公钥密钥提取:

openssl rsa -in private.pem -pubout -out public.pem

公钥 “ssh-rsa”格式的密钥转换:

ssh-keygen -i -m PKCS8 -f public.pem > public.pub

确保 SSH 文件夹和密钥的权限如下(公钥必须为 644,私钥必须为 400) :

chmod 400 private.pem
chmod 644 public.pem
chmod 644 public.pub

Tested for Oracle Cloud Instance public key request:

Private key generation (with passphrase):

openssl genrsa -des3 -out private.pem 4096

Public key extraction:

openssl rsa -in private.pem -pubout -out public.pem

Public key conversion in "ssh-rsa" format:

ssh-keygen -i -m PKCS8 -f public.pem > public.pub

Ensure that the permissions for the SSH folder and keys are as follows (public keys must be 644, private keys must be 400):

chmod 400 private.pem
chmod 644 public.pem
chmod 644 public.pub
暮年慕年 2024-08-01 16:57:32

您还可以使用 phpseclib 库

$keyObj = phpseclib3\Crypt\PublicKeyLoader::load($key, $passphrase)
$keyString = $keyObj->getPublicKey()->toString('OpenSSH');

$key 可以是公共或私有字符串。 如果它是一个文件,则只需将其包装在 file_get_contents($key)

You can also use phpseclib library

$keyObj = phpseclib3\Crypt\PublicKeyLoader::load($key, $passphrase)
$keyString = $keyObj->getPublicKey()->toString('OpenSSH');

$key can be a public or private string. If it is a file then just wrap it in file_get_contents($key)

涙—继续流 2024-08-01 16:57:32

不要重新发明轮子并使用现有的东西,这对每个人都更好。
我正在使用带有 Puttygen 的 Ubuntu 服务器,这是一个很棒的工具。 有几行,或者只有一行,如果你愿意的话(单行有一些 && 和 ||):

apt update
apt install -y putty-tools
puttygen "./key-to-convert.pem" -o "./key-in-ssh-openssl.txt" -O public-openssh
cat "./key-in-ssh-openssl.txt"

就这样..

注意:如果可能的话,看看 puttygen 帮助,它有很多很酷的和易于访问的东西。 例如,这些是可以使用 puttygen 使用“-O”选项的输出格式:

  1. private output PuTTY private key format (.ppk)
  2. private-openssh export OpenSSH private key
  3. private-openssh-new export OpenSSH private key (force new格式)
  4. private-sshcom export ssh.com 私钥
  5. public RFC 4716 / ssh.com 公钥
  6. public-openssh OpenSSH 公钥
  7. 指纹 输出密钥指纹
  8. cert-info 打印证书信息
  9. 文本 输出密钥组件为 'name=0x### #'

Don't reinvent the wheel and use what exists, it's better for everyone.
I'm using an Ubuntu server with Puttygen, which is an excellent tool. There are a few lines, or just one, if you prefer (single liner with a few && and ||):

apt update
apt install -y putty-tools
puttygen "./key-to-convert.pem" -o "./key-in-ssh-openssl.txt" -O public-openssh
cat "./key-in-ssh-openssl.txt"

Just it..

Note: If possible, take a look at puttygen help, it has lots of cool and easy-to-access stuff. For example, theses are the output formats that can be used with puttygen using '-O' option:

  1. private output PuTTY private key format (.ppk)
  2. private-openssh export OpenSSH private key
  3. private-openssh-new export OpenSSH private key (force new format)
  4. private-sshcom export ssh.com private key
  5. public RFC 4716 / ssh.com public key
  6. public-openssh OpenSSH public key
  7. fingerprint output the key fingerprint
  8. cert-info print certificate information
  9. text output the key components as 'name=0x####'
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文