[openssl-users] Generate ECC key with password protection

[Viktor Dukhovni]

On Fri, Jan 13, 2017 at 03:26:08PM -0500, Ken Goldman wrote:

> On 1/13/2017 2:02 PM, Viktor Dukhovni wrote:
> > > parameter setting error
> > > 139854491113288:error:06089094:digital envelope
> > > routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404:
> > 
> > In that case, your OpenSSL library is broken, or was built without
> > EC support.  Perhaps you're running the wrong openssl(1) binary.
> 
> Perhaps++.  The command ran on a 1.0.2 platform.
> 
> > EC key creation is supported in 1.0.2:
> 
> openssl version
> OpenSSL 1.0.1e-fips 11 Feb 2013
> 
> The C API's seem to support EC.  Perhaps the openssl binary does not?
> 
> RHEL 6.7 is still at 1.0.1.
> 
> Can I create the key and certificates on the 1.0.2 platform and use them
> with the C API on 1.0.1?

RedHat has in various past releases deliberately disabled EC support.
More recently they've enabled just the NIST P-256,384,521 curves.

So your software may be neutered by the vendor, however, you seem
to be using 1.0.1, while I was testing 1.0.2.

With 1.0.1 I get:

    $ openssl version -a; openssl genpkey -out cakeyecc.pem -outform PEM -pass pass:rrrr -aes256 -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -text; cat cakeyecc.pem
    OpenSSL 1.0.1v-dev  xx XXX xxxx
    built on: Fri Jan 13 15:35:13 2017
    platform: darwin64-x86_64-cc
    options:  bn(64,64) rc4(ptr,char) des(idx,cisc,16,int) idea(int) blowfish(idx) 
    compiler: cc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
    OPENSSLDIR: "/Volumes/gitvol/viktor/ssl/OpenSSL_1_0_1/ssl"
    parameter setting error
    140735936984072:error:06089094:digital envelope routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:394:
    cat: cakeyecc.pem: No such file or directory

With 1.0.1, EC support in genpkey(1) is incomplete.  To encrypt
use a pipeline:

    $ openssl ecparam -name prime256v1 -genkey -noout | openssl pkey -aes256 -text
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiDn5ZQFVqU2wICCAAw
    HQYJYIZIAWUDBAEqBBBMxK5x8CNp29AxpTpdjjZzBIGQFcjJotTUgue5zv1ZUiJE
    Fmp3LFInp0+mJmiSMM/WZUM2aALAG3xikB5xn0ENmtluiLVM+Osa5PZVj5WAisgN
    DBmHRYqFoxOQPc9L8DN8dr0PDM/d7KZe3Vr4FAlkG86R/aFOOn8yBX2DepDDmvuc
    aYn6abZZWe9uISi+Gk0r3Hna6cKz0K5M6ecGim6oBRg2
    -----END ENCRYPTED PRIVATE KEY-----
    Private-Key: (256 bit)
    priv:
	00:fc:ee:5b:91:0d:7b:11:c1:a3:6b:b6:45:e3:88:
	12:80:08:27:77:1b:3c:ad:59:4f:cd:10:42:f7:6e:
	53:4a:e9
    pub: 
	04:82:74:1c:da:70:65:e0:2d:3f:3b:8b:e4:10:e1:
	b0:60:b0:f8:59:9a:99:7d:a7:70:52:13:be:02:8d:
	c4:a0:56:9b:7f:79:ae:b8:ca:61:52:8c:74:06:59:
	72:10:77:6e:53:62:df:47:ef:af:64:47:97:73:cb:
	a6:f0:eb:a2:24
    ASN1 OID: prime256v1

-- 
	Viktor.