[openssl-users] Generate ECC key with password protection

Viktor Dukhovni openssl-users at dukhovni.org
Fri Jan 13 19:02:12 UTC 2017 

On Fri, Jan 13, 2017 at 01:49:14PM -0500, Ken Goldman wrote:

> On 1/13/2017 1:21 PM, Viktor Dukhovni wrote:
> > On Fri, Jan 13, 2017 at 06:18:51PM +0000, Viktor Dukhovni wrote:
> 
> Still no success.  I think this is exactly what you suggested, and something
> I had already tried.
> 
> openssl genpkey -out cakeyecc.pem -outform PEM -pass pass:rrrr -aes256
> -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt
> ec_param_enc:named_curve -text
> 
> parameter setting error
> 139854491113288:error:06089094:digital envelope
> routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404:

In that case, your OpenSSL library is broken, or was built without
EC support.  Perhaps you're running the wrong openssl(1) binary.

> https://www.openssl.org/docs/man1.0.2/apps/genpkey.html
> 
> Could it be that 1.0.2 doesn't support creation of EC keys?

EC key creation is supported in 1.0.2:

    $ openssl version -a; openssl genpkey -out cakeyecc.pem -outform PEM -pass pass:rrrr -aes256 -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -text; cat cakeyecc.pem
    OpenSSL 1.0.2j  26 Sep 2016
    built on: reproducible build, date unspecified
    platform: NetBSD-x86_64
    options:  bn(64,64) md2(int) rc4(8x,int) des(idx,cisc,16,int) blowfish(ptr2)
    compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H
    -O2 -I/usr/include -Wa,--noexecstack -DTERMIOS -DL_ENDIAN -DMD32_REG_T=int -O2 -DOPENSSL_IA32_SSE2
    -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM
    -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
    OPENSSLDIR: "/usr/pkg/etc/openssl"
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAj2P6Eun6xu+QICCAAw
    HQYJYIZIAWUDBAEqBBCLkrjwPqdzyGUnq+FZmAXKBIGQYc6Ug3yc5JbhkUmNmtPm
    8An/0hE1ErvedRQFk0yyfUTiX/cHcuTkm5S5ZJlE4jtDJRidc3TxX59yTa6blZbp
    EilWzrACBO0POWeUsN0SnYAwHfaQ7dRKfoK0xmZJMRclzd9C62f64e/0Q2v1xdvj
    oMyg7aiK2fa1DdXdkDeB0j3Cnpo4x24ZY1De870LOkd/
    -----END ENCRYPTED PRIVATE KEY-----
    Private-Key: (256 bit)
    priv:
	63:c2:97:81:a3:bc:4f:10:cc:ca:68:70:bf:a3:fa:
	da:e3:fd:7d:d2:9f:88:b9:4b:bf:11:ac:4b:9c:b5:
	d4:c2
    pub:
	04:96:5d:78:a2:7b:60:b3:9c:67:7d:d7:19:68:4e:
	4e:7b:a4:75:46:31:b1:f6:76:28:86:fe:9a:56:9c:
	bc:3c:4b:37:0b:3b:0c:24:ed:2b:d1:8f:85:92:0f:
	6e:48:9d:49:2c:7b:e7:7c:df:94:8a:9d:4b:f8:bc:
	25:82:cb:50:22
    ASN1 OID: prime256v1
    NIST CURVE: P-256

The documentation of genpkey(1) was improved in 1.1.0, perhaps some
of the improvements should be backported. Pull requests welcome.

-- 
	Viktor.

More information about the openssl-users mailing list