[openssl-dev] Reminder: OpenSSL's EC private key encoding is broken

Douglas E Engert deengert at gmail.com
Wed Mar 25 23:40:45 UTC 2015 

The attached patch against https://github.com/openssl/openssl
makes sure the EC private key in an OCTETSTRING retains leading zeros
when converting from BIGNUM to OCTETSTRING.

http://www.secg.org/sec1-v2.pdf

    2.3.7 Integer-to-Octet-String Conversion
    Says: "Output: An octet string M of length mlen octets."

https://tools.ietf.org/html/rfc5915

    Says: "It is an octet string of length ceiling (log2(n)/8)"

https://tools.ietf.org/html/rfc3447

    4.1 I2OSP
    Says: " X corresponding octet string of length xLen"
    and also says: "(note that one or more leading digits will be
    zero if x is less than 256^(xLen-1))."

On 3/25/2015 4:34 PM, Annie wrote:
> Am 24.03.2015 um 19:42 schrieb Douglas E Engert:
>>
>> On 3/24/2015 6:10 AM, Annie Yousar wrote:
>>> Dear all,
>>> this should not have happened:
>>
>> The private key may have leading zero bytes, and the size of the
>> BIGNUM is used
>> for the length of the octetstring rather then the field_len.
>> The length of the BIGNUM does not include any leading zeros.
>>
>
> Exactly.
>
>> Try the attached diff.
>
> The diff solves the issue.
> One remark: Please remove the line
>
>         /* to get old behavior, set buf_len = bn_len */
>
> from the diff. There is no need to keep it. OpenSSL handles gently the leading zero bytes in the encoded private key.
> Your diff changes the ASN.1 encoding only and no bits on the wire. So the old buggy behavior is obsolete.
>
> Kind regards,
> Ann.
>
>
>>>
>>> $ for i in  `seq 1 1000` ; do if [ "x`openssl ecparam -genkey -name
>>> prime256v1 -noout > key.pem; ls -l key.pem | sed '/ 227 /d'`" != " x" ];
>>> then echo; cat key.pem;else echo -n "."; fi; done
>>> ....................................................................................
>>>
>>> -----BEGIN EC PRIVATE KEY-----
>>> MHYCAQEEH9gjg1X/Gn9X/2VTustsXS/OuWV9LU4ivfp5oewxbACgCgYIKoZIzj0D
>>> AQehRANCAARlO6sLkCzJl7khaT8Nj6z3WpcDnMALQ4nI8Toc4/oYHtgUopeSMEj8
>>> fgHw9Ym3/2GgClzweJXYLuTYRB7oR/MY
>>> -----END EC PRIVATE KEY-----
>>> ............................................................................
>>>
>>> ...
>>>
>
> The correct encoded key from above is:
>
> -----BEGIN EC PRIVATE KEY-----
> MHcCAQEEIADYI4NV/xp/V/9lU7rLbF0vzrllfS1OIr36eaHsMWwAoAoGCCqGSM49
> AwEHoUQDQgAEZTurC5AsyZe5IWk/DY+s91qXA5zAC0OJyPE6HOP6GB7YFKKXkjBI
> /H4B8PWJt/9hoApc8HiV2C7k2EQe6EfzGA==
> -----END EC PRIVATE KEY-----
>
> Thanks again.
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecprivatekey-asn1.diff
Type: text/x-patch
Size: 5865 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150325/671d1c51/attachment-0001.bin>

More information about the openssl-dev mailing list