Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do you test a public/private DSA keypair?

Tags:

key

ssl

openssl

encryption

People also ask

How do I validate a private RSA key?

To verify that an RSA private key matches the RSA public key in a certificate you need to i) verify the consistency of the private key and ii) compare the modulus of the public key in the certificate against the modulus of the private key. If it doesn't say 'RSA key ok', it isn't OK!"

I found a way that seems to work better for me:

ssh-keygen -y -f <private key file>

That command will output the public key for the given private key, so then just compare the output to each *.pub file.


I always compare an MD5 hash of the modulus using these commands:

Certificate: openssl x509 -noout -modulus -in server.crt | openssl md5
Private Key: openssl rsa -noout -modulus -in server.key | openssl md5
CSR: openssl req -noout -modulus -in server.csr | openssl md5

If the hashes match, then those two files go together.


For DSA keys, use

 openssl dsa -pubin -in dsa.pub -modulus -noout

to print the public keys, then

 openssl dsa -in dsa.key -modulus -noout

to display the public keys corresponding to a private key, then compare them.


Assuming you have the public keys inside X.509 certificates, and assuming they are RSA keys, then for each public key, do

    openssl x509 -in certfile -modulus -noout

For each private key, do

    openssl rsa -in keyfile -modulus -noout

Then match the keys by modulus.


The check can be made easier with diff:

diff <(ssh-keygen -y -f $private_key_file) $public_key_file

The only odd thing is that diff says nothing if the files are the same, so you'll only be told if the public and private don't match.


Enter the following command to check if a private key and public key are a matched set (identical) or not a matched set (differ) in $USER/.ssh directory. The cut command prevents the comment at the end of the line in the public key from being compared, allowing only the key to be compared.

ssh-keygen -y -f ~/.ssh/id_rsa | diff -s - <(cut -d ' ' -f 1,2 ~/.ssh/id_rsa.pub)

Output will look like either one of these lines.

Files - and /dev/fd/63 are identical

Files - and /dev/fd/63 differ

I wrote a shell script that users use to check file permission of their ~/.ssh/files and matched key set. It solves my challenges with user incidents setting up ssh. It may help you. https://github.com/BradleyA/docker-security-infrastructure/tree/master/ssh

Note: My previous answer (in Mar 2018) no longer works with the latest releases of openssh. Previous answer: diff -qs <(ssh-keygen -yf ~/.ssh/id_rsa) <(cut -d ' ' -f 1,2 ~/.ssh/id_rsa.pub)


Delete the public keys and generate new ones from the private keys. Keep them in separate directories, or use a naming convention to keep them straight.

Related questions

How to encrypt/decrypt data in php?
How does BitLocker affect performance? [closed]
AES Encryption for an NSString on the iPhone
How to encrypt bytes using the TPM (Trusted Platform Module)
How to send password securely over HTTP?
Hash function that produces short hashes?
Given final block not properly padded
What is the optimal length for user password salt? [closed]
Encrypt Password in Configuration Files? [closed]
encryption/decryption with multiple keys
Converting a Java Keystore into PEM Format
gnupg: There is no assurance this key belongs to the named user
SQLite with encryption/password protection
What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?
Difference between Hashing a Password and Encrypting it
RSA Public Key format
Difference between encoding and encryption
Simple way to encode a string according to a password?
How to encrypt String in Java
Two-way encryption: I need to store passwords that can be retrieved

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!