Hi Viktor,

Thank you so much for your response.

Do I need to request for a specific certificate that will is base64?

Thanks,
Liz

-----Original Message-----
From: owner-openssl-users-MCmKBN63+***@public.gmane.org
[mailto:owner-openssl-users-MCmKBN63+***@public.gmane.org] On Behalf Of Viktor Dukhovni
Sent: Monday, September 08, 2014 5:42 AM
To: openssl-users-MCmKBN63+***@public.gmane.org
Subject: Re: cannot read PEM key file - no start line
Yes. The OpenSSL base64 decoder limits input lines to 64 characters.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Nope. The encoder writes 64 (the original PEM spec), but the decoder
will accept up to 76 (the less-old MIME spec). As one case I hit often,
Java keytool -exportcert writes 76 and openssl reads it just fine.

And the error here is "no start line". *On Windows* that often occurs
when Windows editors treat text files as Unicode/UTF-8 with an
invisible "BOM" (Byte Order Mark) at the beginning of the first line.
Try prepending a semantically-meaningless comment line like:

Hello! This is my Key!! Rah Rah Go Key Go!!
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIAqD7NQvpg74v7Pik4rAIfk/BIQlQa1fbM9BKkHOkKJBoAoGCCqGSM49
AwEHoUQDQgAE/BR1oMSfz4WgklW7t83E0xClrBh0md1Ata8rsPq8VAsB1WDXPXwk
T7WbcXlsyxuyOb7ok8F544xmr+pKreWbHw==
-----END EC PRIVATE KEY-----


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Hi Jeff,



Please find the certificates attached.



openssl x509 -in DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pembackup -inform PEM -text -noout

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1085434364 (0x40b269fc)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=US, O=Wells Fargo, OU=Wells Fargo Certification Authority, CN=Wells Fargo Root Certificate Authority

Validity

Not Before: May 28 18:17:26 2009 GMT

Not After : May 28 18:17:26 2019 GMT

Subject: C=US, O=Wells Fargo, OU=Wells Fargo Certificate Authorities, CN=Wells Fargo Enterprise CA 02

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:9b:59:84:56:05:e5:1c:76:dd:e0:3a:ca:14:84:

4e:4d:fe:90:e4:9c:33:24:4b:63:16:25:8d:e2:54:

2c:12:f2:9e:54:dd:69:ef:fb:9a:d7:a7:34:80:58:

62:cd:0b:ee:0f:4d:36:a6:db:54:1b:b4:e7:ea:e5:

28:9d:46:31:25:a8:c3:d9:39:f2:90:04:2e:d6:6e:

4a:b3:58:22:b0:d8:18:08:6c:c7:f2:d9:6e:29:e5:

98:00:da:69:49:1b:79:17:52:2c:dd:8b:6c:34:e1:

a2:62:d5:45:9d:97:f7:15:e8:ce:cd:55:a4:86:74:

f9:ad:85:e3:4d:ff:4e:b2:ee:4a:2b:52:61:ec:dc:

b0:6c:55:39:3f:6c:ad:0b:88:7f:33:dc:67:94:7b:

82:8f:2e:d1:06:63:7d:e7:a8:86:ec:46:fe:04:1a:

ef:a3:b6:5f:4d:fc:d6:b8:5c:e6:bd:f8:9c:2a:8b:

e8:0d:b6:4e:96:82:c7:1e:c4:73:8f:68:90:d9:eb:

98:fb:15:bf:83:e6:67:d6:51:cf:40:26:5f:4d:d2:

e0:3d:47:27:57:ba:a9:3f:ed:5f:45:5c:b9:84:d2:

d0:4f:0d:e7:06:b3:5a:e5:12:c8:64:af:11:06:96:

3a:92:28:38:c1:68:72:34:a3:fe:f5:2b:1c:da:6d:

f8:95

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints: critical

CA:TRUE

X509v3 Certificate Policies:

Policy: 2.16.840.1.114171.500.0.0

CPS: http://www.wellsfargo.com/cps/

Policy: 2.16.840.1.114171.500.0.1

CPS: http://www.wellsfargo.com/cps/



Authority Information Access:

OCSP - URI:http://ocsp-root.pki.wellsfargo.com/

CA Issuers - URI:http://crl.pki.wellsfargo.com/wf_root.crt



X509v3 Key Usage: critical

Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign, CRL Sign

X509v3 Authority Key Identifier:

keyid:14:AF:18:F7:BD:E6:E7:6B:E3:5A:FA:EA:51:EF:FE:D4:5A:71:39:C0

DirName:/C=US/O=Wells Fargo/OU=Wells Fargo Certification Authority/CN=Wells Fargo Root Certificate Authority

serial:39:E4:97:9E



X509v3 CRL Distribution Points:



Full Name:

URI:http://crl.pki.wellsfargo.com/root.crl



X509v3 Subject Key Identifier:

C4:AB:45:B6:3A:0B:01:1C:62:5C:CA:3F:C7:E3:CD:2F:30:C4:57:D7

Signature Algorithm: sha1WithRSAEncryption

2d:42:30:eb:21:4d:8f:b9:ab:4d:22:2e:aa:d4:fa:ae:c0:17:

80:a0:29:ca:52:37:1e:d7:a9:6d:66:ba:ab:11:26:98:30:e3:

08:06:8e:c5:76:4a:4a:14:f1:05:06:ba:a9:2a:58:16:0d:0a:

17:1a:8a:b0:d8:a8:b7:c0:80:10:cc:57:71:aa:6b:e4:e2:f0:

ca:d4:c5:be:70:d2:45:af:47:fa:69:4b:4f:a8:e9:66:2f:02:

dd:f6:ea:12:f6:d5:7a:1e:cd:8d:3e:28:8f:c7:cd:6e:c7:f5:

dd:48:0d:d3:1c:65:82:27:b3:e3:b9:68:71:65:40:0d:d6:0f:

fd:1b:9c:1b:7d:68:fb:c3:aa:25:a6:7f:f8:05:ac:73:e0:7a:

2e:84:3d:8d:a6:25:61:a8:97:5c:44:50:a2:92:d2:f1:dc:53:

78:6a:7c:a6:f9:9d:60:ae:20:84:71:bf:03:02:d6:d1:f1:1c:

6a:a4:0e:aa:b0:5c:7f:c0:3e:df:f4:50:60:47:49:eb:6b:d9:

f1:0f:53:e8:7c:1b:74:fa:f4:cd:3a:2a:79:53:39:8b:e0:e0:

2e:3c:b6:7e:ad:5e:12:9e:9a:e4:89:f4:37:bf:2d:92:01:2b:

f0:d3:e5:a4:f8:1b:f7:70:ba:4f:c9:0d:62:2a:10:63:6d:1d:

36:49:6a:2d



This is the C++ MongoDB API I am using to connect to the database:



#include "mongo/util/net/ssl_options.h"

#include "mongo/client/init.h"



int main() {

sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_requireSSL);



// only really need a PEM on the server side

mongo::sslGlobalParams.sslPEMKeyFile = "<path/to/keyfile.pem>";



mongo::Status status = mongo::client::initialize();



if (!status.isOK())

::abort();



DBClientConnection c;

c.connect("hostname.whatever.com"); // outgoing connections are SSL

}



My question to MongoDB support was: From the code above, the comment states that there is only a need of a PEM on the server side. What identifies the "key store" on the C++ client server? Is as key store not required on the

C++ linux server where my application is running?



MongoDB support response was: That is correct. For encrypted communications only the MongoDB server needs a PEM file.



I am just not sure what I am supposed to be providing as far as the sslPEMKeyFile. I have these certificates:



For MongoDB files are in PEM format:

· DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_server.pem

· private key of DTCD9C3B2F42757.ent.wfb.bank.corp machine

· certificate for DTCD9C3B2F42757.ent.wfb.bank.corp, signed by WF Enterprise CA 02

· DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem

· WF Enterprise CA 02 certificate, signed by WF Root

· WF Root certificate

I get these errors trying when trying to use each cert separately:

· 2014-09-03T13:46:42.186-0500 ERROR: cannot read PEM key file: /users/apps/tstlrn/u019807/DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_server.pem error:0906406D:PEM routines:PEM_def_callback:problems getting password



· 2014-09-03T13:37:56.881-0500 ERROR: cannot read PEM key file: /users/apps/tstlrn/u019807/DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem error:0906D06C:PEM routines:PEM_read_bio:no start line





Please me know if you need any additional information.



Thanks for your help,

Liz

From: owner-openssl-users-MCmKBN63+***@public.gmane.org [mailto:owner-openssl-***@openssl.org] On Behalf Of Jeffrey Walton
Sent: Tuesday, September 09, 2014 5:09 AM
To: OpenSSL Users List
Subject: Re: cannot read PEM key file - no start line







On Sun, Sep 7, 2014 at 10:26 PM, Liz Fall <fall-***@public.gmane.org> wrote:

All,



I am getting the following with my client cert when trying to connect to an SSL-enabled MongoDB:



2014-09-03T13:37:56.881-0500 ERROR: cannot read PEM key file: /users/apps/tstlrn/u019807/DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem error:0906D06C:PEM routines:PEM_read_bio:no start line

I just tried to duplicate with a key (not a certificate) that uses line breaks at 76 characters. I don't have a certificate because my routines don't support certificates. But it should reveal a little about the OpenSSL parser.

Reading the public and private keys were OK when the line size was 76 (see below). So the OpenSSL parser is lenient during a read. This seems very reasonable to me.

Reading an encrypted private key resulted in an error "PEM_read_bio:bad end line:pem_lib.c:802" when the line size was 76 (see below). This kind of surprised me.

Since you are receiving the "no start line" error (and not another error), I would suspect you are reading an ASN.1/DER encoded certificate; and not a PEM encoded certificate. The error occured before anything related to line lengths.

Can you post the X509 certificate for inspection?

Jeff

**********



# Line breaks at 76

$ cat rsa-pub-xxx.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDse17vxd2lkVIxwt1gkipo0EZo3NdDhIvPRowZ
6hfRM1n3+8NlS4Qw76PvM1EMR9FXCFTBtv9zzZ7OkNH84LgG6mbNS28PuWeUFmMZumdLbT4KNu2U
pttFup08OUEIlrmkeP1GqMCfaVcbCfl0tScpCMeEhXUpiIvtzUin2kqGHQIDAQAB
-----END PUBLIC KEY-----

# Line breaks at 76
$ cat rsa-priv-xxx.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDse17vxd2lkVIxwt1gkipo0EZo3NdDhIvPRowZ6hfRM1n3+8NlS4Qw76PvM1EM
R9FXCFTBtv9zzZ7OkNH84LgG6mbNS28PuWeUFmMZumdLbT4KNu2UpttFup08OUEIlrmkeP1GqMCf
aVcbCfl0tScpCMeEhXUpiIvtzUin2kqGHQIDAQABAoGBAJqxzZW98tMW8BS7K0O7+eActqJsLKjv
MOIDfSyKlM/17pmo6NX/g1bbvHqCMDd/V3K+cWtTAWJIlOT9mU/51Ib3h29xEQQ6Ql/ubMPAmm/t
f7itQMxn5FVY+ZA2/pL/mDzAdMuLeS/1TcHCqjbpAL8VaZjHTqztHBcVcNzbIQ6BAkEA/e7hE6WV
caAoFEVfoZW0AIjwWpziQdI1bhNAi70fxWEU1kSq2ZZZhqxU4G37IKmVfBnx3CSzCgp5daPqUpEO
oQJBAO5oIOgVf3GqL03fA6N3s2gx9L4VzAaZZynDF6yjhCCAXs8uUSEYKL32a17dFq+0SrQUSS2J
Tylsz2cv+Uk6cf0CQQCV5RLb5BypbB78iE8BNTuCLVOkSYON0yZTCe5KDqPYgYwpR3OK6aODSer4
aDObfj+NeEs65jcBsFkuRkol3xbBAkEAiN+rlNNS2fU1N2YEdsNwcy/LLZ7iBh/ohKeHXgx6/RX2
WMhkt7VhHr7tIgeY0MOX6A+Fe+lLU6Mu6DU4z/wIGQJAQfEGaJbtaq8bLu6m2VYPpGig1NyBx9i8
kF/E+JC9ZSYh//5nhp6+lBbxceDcijPqnKGZlMYS51nPLSHQBRqbog==
-----END RSA PRIVATE KEY-----

# Line breaks at 76, password is "test"
$ cat rsa-enc-priv-xxx.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,8878824B00BA92932DC5AA1E4A9F12E0

klcOjPvZmj/19sUcf031oUckm2YUw7nEp6UtSbs41OKd2TyRfveNl4vv3J8AzOh18AqPPSKR3chM
8lSvKIdcksieh8raqr2s5wMd8ds/mDkguoVWGVnN8f+FKoVTny7OMhXAbQhk2ZXwZMEU5Q8M/Jnj
3ZfrbgcLYH50UoPlkgD6Y0krcNB+TDJEMvErn7G6RedrDPOjQ2gFCmRSE6Yuqtcgl5JaVS+1UT8Z
4l+EMuUjQcBiwuSQNxgfwyGQ3g/2maluLJsEKHDQhAKufe2c7lXlK/0MdHY+q4RbNLmGBigHb97U
A5jTZl5+dBrQgtgPx7V13F/7EHT6m2KrYSDvfoPadcT65sT1ukoZF5rvbdRcN1QtVetVrymwM5XU
8CrlSz6tihleipPx27JUA7WQjIQc/Kk7R0e1dNB0oEkgd0i5+20bg+4/Keh0t5fwkXlyrCwjEItT
zoC0Hm2dvXG6BTm1OUyRL94DxStVmqRpwDbthbEUqxYWrxTgWKu+noGYu3xJFI6plKEHTY+YMxjm
azeyV8CE0HGwRXTBHpj47bekt5dpxMxZasgeIJqHrUI3am+CijdJTHQyHU3Zxk7rdiLha1inpN6M
Z+ImQxqzm22e4/KMnTxcZ7L6hNzCKXgAGZ9gdg2uV+fwwyFRwzLDWMbQFeYH10yHB6Ua6Wg2LZdr
+NTuJlrMykVULD382XszNMLFtJGl46lpJ9XKWTTIX4e5Fg5N1WSHS2gD8YLxtRzd9vM9ewsZOMtw
gqw5uK7GSJUo8FHKtYuLGKY0jnVHFm2VnYo+76RXQxmJyo+ANmALJCJENCZDMm0I0pRGgRVV
-----END RSA PRIVATE KEY-----

$ openssl rsa -in rsa-pub-xxx.pem -pubin -text -noout
Public-Key: (1024 bit)
Modulus:
00:ec:7b:5e:ef:c5:dd:a5:91:52:31:c2:dd:60:92:
2a:68:d0:46:68:dc:d7:43:84:8b:cf:46:8c:19:ea:
17:d1:33:59:f7:fb:c3:65:4b:84:30:ef:a3:ef:33:
51:0c:47:d1:57:08:54:c1:b6:ff:73:cd:9e:ce:90:
d1:fc:e0:b8:06:ea:66:cd:4b:6f:0f:b9:67:94:16:
63:19:ba:67:4b:6d:3e:0a:36:ed:94:a6:db:45:ba:
9d:3c:39:41:08:96:b9:a4:78:fd:46:a8:c0:9f:69:
57:1b:09:f9:74:b5:27:29:08:c7:84:85:75:29:88:
8b:ed:cd:48:a7:da:4a:86:1d
Exponent: 65537 (0x10001)

$ openssl rsa -in rsa-priv-xxx.pem -text -noout
Private-Key: (1024 bit)
modulus:
00:ec:7b:5e:ef:c5:dd:a5:91:52:31:c2:dd:60:92:
2a:68:d0:46:68:dc:d7:43:84:8b:cf:46:8c:19:ea:
17:d1:33:59:f7:fb:c3:65:4b:84:30:ef:a3:ef:33:
51:0c:47:d1:57:08:54:c1:b6:ff:73:cd:9e:ce:90:
d1:fc:e0:b8:06:ea:66:cd:4b:6f:0f:b9:67:94:16:
63:19:ba:67:4b:6d:3e:0a:36:ed:94:a6:db:45:ba:
9d:3c:39:41:08:96:b9:a4:78:fd:46:a8:c0:9f:69:
57:1b:09:f9:74:b5:27:29:08:c7:84:85:75:29:88:
8b:ed:cd:48:a7:da:4a:86:1d
publicExponent: 65537 (0x10001)
privateExponent:
00:9a:b1:cd:95:bd:f2:d3:16:f0:14:bb:2b:43:bb:
f9:e0:1c:b6:a2:6c:2c:a8:ef:30:e2:03:7d:2c:8a:
94:cf:f5:ee:99:a8:e8:d5:ff:83:56:db:bc:7a:82:
30:37:7f:57:72:be:71:6b:53:01:62:48:94:e4:fd:
99:4f:f9:d4:86:f7:87:6f:71:11:04:3a:42:5f:ee:
6c:c3:c0:9a:6f:ed:7f:b8:ad:40:cc:67:e4:55:58:
f9:90:36:fe:92:ff:98:3c:c0:74:cb:8b:79:2f:f5:
4d:c1:c2:aa:36:e9:00:bf:15:69:98:c7:4e:ac:ed:
1c:17:15:70:dc:db:21:0e:81
prime1:
00:fd:ee:e1:13:a5:95:71:a0:28:14:45:5f:a1:95:
b4:00:88:f0:5a:9c:e2:41:d2:35:6e:13:40:8b:bd:
1f:c5:61:14:d6:44:aa:d9:96:59:86:ac:54:e0:6d:
fb:20:a9:95:7c:19:f1:dc:24:b3:0a:0a:79:75:a3:
ea:52:91:0e:a1
prime2:
00:ee:68:20:e8:15:7f:71:aa:2f:4d:df:03:a3:77:
b3:68:31:f4:be:15:cc:06:99:67:29:c3:17:ac:a3:
84:20:80:5e:cf:2e:51:21:18:28:bd:f6:6b:5e:dd:
16:af:b4:4a:b4:14:49:2d:89:4f:29:6c:cf:67:2f:
f9:49:3a:71:fd
exponent1:
00:95:e5:12:db:e4:1c:a9:6c:1e:fc:88:4f:01:35:
3b:82:2d:53:a4:49:83:8d:d3:26:53:09:ee:4a:0e:
a3:d8:81:8c:29:47:73:8a:e9:a3:83:49:ea:f8:68:
33:9b:7e:3f:8d:78:4b:3a:e6:37:01:b0:59:2e:46:
4a:25:df:16:c1
exponent2:
00:88:df:ab:94:d3:52:d9:f5:35:37:66:04:76:c3:
70:73:2f:cb:2d:9e:e2:06:1f:e8:84:a7:87:5e:0c:
7a:fd:15:f6:58:c8:64:b7:b5:61:1e:be:ed:22:07:
98:d0:c3:97:e8:0f:85:7b:e9:4b:53:a3:2e:e8:35:
38:cf:fc:08:19
coefficient:
41:f1:06:68:96:ed:6a:af:1b:2e:ee:a6:d9:56:0f:
a4:68:a0:d4:dc:81:c7:d8:bc:90:5f:c4:f8:90:bd:
65:26:21:ff:fe:67:86:9e:be:94:16:f1:71:e0:dc:
8a:33:ea:9c:a1:99:94:c6:12:e7:59:cf:2d:21:d0:
05:1a:9b:a2

$ openssl rsa -in rsa-enc-priv-xxx.pem -passin pass:test -text -noout
unable to load Private Key
140735192314332:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:802:



---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

I was half wrong before.



The base64 read in EVP_Decode* allows 76. But the PEM parser in PEM_read_bio

enforces exactly 64 >>only for input files that have PEM-encrypt headers<<

which in practice is only encrypted legacy-format privatekey files.

(Nonprivate things like cert, CSR, publickey, params, etc. aren’t encrypted at all.

PKCS8 privatekey or PKCS12 key-plus-cert is encrypted within the ASN1, not as PEM.)



I have and know of no software to create encrypted legacy-format privatekeys

other than OpenSSL itself which always writes 64, so I never encountered this before.

(Other sw does do PKCS8-e or PKCS12 but see above.)



(As seen elsethread, OP apparently had PEM certs where PEM key was expected.)



From: owner-openssl-users-MCmKBN63+***@public.gmane.org [mailto:owner-openssl-users-MCmKBN63+***@public.gmane.org] On Behalf Of Jeffrey Walton
Sent: Tuesday, September 09, 2014 08:09
To: OpenSSL Users List
Subject: Re: cannot read PEM key file - no start line







On Sun, Sep 7, 2014 at 10:26 PM, Liz Fall <fall-***@public.gmane.org> wrote:

All,



I am getting the following with my client cert when trying to connect to an SSL-enabled MongoDB:



2014-09-03T13:37:56.881-0500 ERROR: cannot read PEM key file: /users/apps/tstlrn/u019807/DTCD9C3B2F42757.ent.wfb.bank.corp_mongo_wells.pem error:0906D06C:PEM routines:PEM_read_bio:no start line

I just tried to duplicate with a key (not a certificate) that uses line breaks at 76 characters. I don't have a certificate because my routines don't support certificates. But it should reveal a little about the OpenSSL parser.

Reading the public and private keys were OK when the line size was 76 (see below). So the OpenSSL parser is lenient during a read. This seems very reasonable to me.

Reading an encrypted private key resulted in an error "PEM_read_bio:bad end line:pem_lib.c:802" when the line size was 76 (see below). This kind of surprised me.

Since you are receiving the "no start line" error (and not another error), I would suspect you are reading an ASN.1/DER encoded certificate; and not a PEM encoded certificate. The error occured before anything related to line lengths.

<snip rest>