[openssl-users] Generate ECC key with password protection
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Jan 13 19:02:12 UTC 2017
On Fri, Jan 13, 2017 at 01:49:14PM -0500, Ken Goldman wrote:
> On 1/13/2017 1:21 PM, Viktor Dukhovni wrote:
> > On Fri, Jan 13, 2017 at 06:18:51PM +0000, Viktor Dukhovni wrote:
>
> Still no success. I think this is exactly what you suggested, and something
> I had already tried.
>
> openssl genpkey -out cakeyecc.pem -outform PEM -pass pass:rrrr -aes256
> -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt
> ec_param_enc:named_curve -text
>
> parameter setting error
> 139854491113288:error:06089094:digital envelope
> routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404:
In that case, your OpenSSL library is broken, or was built without
EC support. Perhaps you're running the wrong openssl(1) binary.
> https://www.openssl.org/docs/man1.0.2/apps/genpkey.html
>
> Could it be that 1.0.2 doesn't support creation of EC keys?
EC key creation is supported in 1.0.2:
$ openssl version -a; openssl genpkey -out cakeyecc.pem -outform PEM -pass pass:rrrr -aes256 -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -text; cat cakeyecc.pem
OpenSSL 1.0.2j 26 Sep 2016
built on: reproducible build, date unspecified
platform: NetBSD-x86_64
options: bn(64,64) md2(int) rc4(8x,int) des(idx,cisc,16,int) blowfish(ptr2)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H
-O2 -I/usr/include -Wa,--noexecstack -DTERMIOS -DL_ENDIAN -DMD32_REG_T=int -O2 -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/pkg/etc/openssl"
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAj2P6Eun6xu+QICCAAw
HQYJYIZIAWUDBAEqBBCLkrjwPqdzyGUnq+FZmAXKBIGQYc6Ug3yc5JbhkUmNmtPm
8An/0hE1ErvedRQFk0yyfUTiX/cHcuTkm5S5ZJlE4jtDJRidc3TxX59yTa6blZbp
EilWzrACBO0POWeUsN0SnYAwHfaQ7dRKfoK0xmZJMRclzd9C62f64e/0Q2v1xdvj
oMyg7aiK2fa1DdXdkDeB0j3Cnpo4x24ZY1De870LOkd/
-----END ENCRYPTED PRIVATE KEY-----
Private-Key: (256 bit)
priv:
63:c2:97:81:a3:bc:4f:10:cc:ca:68:70:bf:a3:fa:
da:e3:fd:7d:d2:9f:88:b9:4b:bf:11:ac:4b:9c:b5:
d4:c2
pub:
04:96:5d:78:a2:7b:60:b3:9c:67:7d:d7:19:68:4e:
4e:7b:a4:75:46:31:b1:f6:76:28:86:fe:9a:56:9c:
bc:3c:4b:37:0b:3b:0c:24:ed:2b:d1:8f:85:92:0f:
6e:48:9d:49:2c:7b:e7:7c:df:94:8a:9d:4b:f8:bc:
25:82:cb:50:22
ASN1 OID: prime256v1
NIST CURVE: P-256
The documentation of genpkey(1) was improved in 1.1.0, perhaps some
of the improvements should be backported. Pull requests welcome.
--
Viktor.
More information about the openssl-users
mailing list