RSA private Key switch prime1/prime2 and exponent1/exponent2

1
votes

I have certificate issues with Firefox/Thunderbird versions newer than 31. The import fails for unknown reasons. I can import the certificate in an old version of F/T and export it again, after that it is working fine in current versions. The only difference I spotted between the certificates are the private key attributes. The certificates are in the pkcs12 format.

First I extracted the private key with 

openssl pkcs12 -in certificate.p12 -nocerts -out privatekey.pem

then I printed out the details with

openssl rsa -in privatekey.pem -text -noout

I get the exact same output from my old certificate and the exported one, except that prime1, prime2 and exponent1, exponent2 are switched and the coefficient is different.

Is there a simple way to solve the problem with a command? Maybe an openssl command?

Additional Info:
The prime1 and prime2 from the working exported private key. In the old private key it is excatly the same output but prime1 ist prime2 and vice versa.

prime1:
    00:f6:63:95:7c:1a:96:4f:33:c7:dd:3f:a4:dc:7d:
    00:5f:e3:0e:93:d7:2f:88:d1:44:f3:2b:75:38:00:
    18:bb:19:ba:af:ac:20:34:93:d0:42:fb:d7:73:66:
    f6:cc:d8:10:b1:31:ea:f8:79:5d:f5:08:56:2f:2d:
    d8:31:e6:6e:62:92:89:eb:1e:44:31:ed:92:0a:a1:
    02:ef:f5:f7:7c:2c:a0:26:60:5b:95:3a:a4:44:fa:
    dc:ce:99:88:88:d7:f2:25:1d:48:6f:c6:b4:72:d0:
    b0:50:59:18:e8:81:c7:13:45:e2:04:38:8f:d7:53:
    50:0a:7a:44:8f:21:e9:d4:bd

prime2:
    00:96:4a:84:35:b9:bd:0c:f4:00:e1:d4:2e:f7:49:
    ce:a5:0f:3d:90:83:ad:5b:7b:e0:06:a4:a1:6a:bd:
    2e:7c:3c:b8:1c:f1:b9:45:fc:41:00:ec:70:5b:ba:
    00:21:62:df:54:07:9a:b1:09:93:89:27:f8:29:55:
    bf:90:81:ea:07:ef:0f:dd:ca:11:da:d6:aa:e7:de:
    16:6c:68:52:fe:51:e6:20:46:3c:97:af:e2:a6:fd:
    ef:bb:e3:08:9d:13:18:88:51:73:ae:81:15:7c:1b:
    86:52:d5:16:cc:86:66:8e:b8:48:b9:6c:14:27:10:
    82:8e:04:e6:ea:25:af:20:53
1
opensslcertificatersaprivate-key
Most of the RSA implementations require prime1 to be less than prime2. Is this the case here? Just as a side note: PKCS#12 is format for keystores, which contains certificates and optionally private keys.divanov
Thanks for your fast response. I don't know how to identify the prime numbers from the output. I tried to convert them from hexadecimal to decimal but I only get really strange results so I added them to the question. Yes I know that the pkcs12 is for keystores. The problem I have seems to come from the private key. The pkcs12 elements are all the same except the rsa private key.Tita-dp314
Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask. Also see Where do I post questions about Dev Ops?.jww

1 Answers

8
votes

Here is the answer. 

prime1: p
prime2: q
modulus: N = p * q
publicExponent: e
privateExponent: d

Take a look at this article on using the Chinese remainder algorithm.

exponent1 = dp
exponent2 = dq
coefficient = qInv

See this reference.