ECC keypair generation with password

Viktor Dukhovni openssl-users at dukhovni.org
Thu Feb 28 20:36:25 UTC 2019 

On Thu, Feb 28, 2019 at 03:05:43PM -0500, Ken Goldman wrote:

> The output is a
> -----BEGIN ENCRYPTED PRIVATE KEY-----

This is PKCS8, which is the non-legacy private key format that
should be used by modern libraries.  This is for example output by:

    $ openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -aes128
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAgWnV30Y37QvAICCAAw
    DAYIKoZIhvcNAgkFADAdBglghkgBZQMEAQIEEMx8xGM1W+W4JdPET0xj0MAEgZAp
    9XvYDcsnokrXBoyWqFF73VeT/4ALgS+StQQK/84qzqjOKSUeteLiDoHkyH2GUYue
    WILJh+3MoqRRGyGPGaznI7yT2fCSUJNGZsvEDd8ILYGpvkS8ssfa/WXWZ0d4jwXr
    VE05VWx424ospaKPz8E5wsvpfuqB3/CxFnD0WUTa1cY/oLkwAUem/ps4iMWoIP8=
    -----END ENCRYPTED PRIVATE KEY-----

[ The password is "sesame", if you want to test using the above key. ]

> Now I must send the PEM file to a crypto library that does not support
> 
> It expects
> -----BEGIN EC PRIVATE KEY-----

That's the legacy algorithm-specific format, your library is rather
dated.

> Its parser does accept a password.
> 
> Is there a way to generate that PEM file?  I.e.

    $ openssl ec -aes128 <<EOF
    > -----BEGIN ENCRYPTED PRIVATE KEY-----
    > MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAgWnV30Y37QvAICCAAw
    > DAYIKoZIhvcNAgkFADAdBglghkgBZQMEAQIEEMx8xGM1W+W4JdPET0xj0MAEgZAp
    > 9XvYDcsnokrXBoyWqFF73VeT/4ALgS+StQQK/84qzqjOKSUeteLiDoHkyH2GUYue
    > WILJh+3MoqRRGyGPGaznI7yT2fCSUJNGZsvEDd8ILYGpvkS8ssfa/WXWZ0d4jwXr
    > VE05VWx424ospaKPz8E5wsvpfuqB3/CxFnD0WUTa1cY/oLkwAUem/ps4iMWoIP8=
    > -----END ENCRYPTED PRIVATE KEY-----
    > EOF
    read EC key
    Enter PEM pass phrase:
    writing EC key
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----BEGIN EC PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-128-CBC,28ADEB740F62A9F41B2AAE09B53CD433

    WbSfKUDAWwz8/6mAH9fuiBbCHrNwb7hnoRz7rfaoJ9QU5VzxZtwuZhGnAw/nKfsy
    b/GHtWa4ghtHf9QofQWuJukeMrC2/KAO+8K1qRsUtcH3KFsaVLcKrDk9plQ2lGdr
    qh3IX8vzPi+YZbdtquSse84g5GNMSE/Urv2bGdZH278=
    -----END EC PRIVATE KEY-----

[ The password is still "sesame" ]

-- 
	Viktor.

More information about the openssl-users mailing list