EC_KEY and PEM_read_RSAPrivateKey

Discussion:

redpath

2012-09-01 16:52:53 UTC

Currently I am reading a PEM file which contains a test RSA key

/**
*Load RSA Keys
**/
fp= fopen("test.pem", "rb");
if (fp==NULL){
printf("ERROR opening RSA Keys failed test.pem\n");
return 1;
}
rsapriv= (RSA *) PEM_read_RSAPrivateKey(fp,&rsapriv, (pem_password_cb
*)"password",NULL);

and create a SHA1 message digest

unsigned char *result=SHA1((unsigned char *)sample, strlen(sample), md);

and sign it

int rc= RSA_sign(NID_sha1, md, 20, sigret, &siglen, rsapriv);

Now I have explored also the use of the Elliptical Curve from the SHA1
but and there is always a but, the only example I could figure out is
using the key generation function

EC_KEY_generate_key(eckey); <====

I need to use my private and public key from the RSA PEM file?
Not sure how exactly to do this.

The private would be used for the
ECDSA_do_sign(md, 20, eckey);

The public later is used for verify
ECDSA_do_verify(md, 20, sig, eckey);

The RSA structure consists of several BIGNUM components. It can contain
public as well as private RSA keys:

struct
{
BIGNUM *n; // public modulus
BIGNUM *e; // public exponent
BIGNUM *d; // private exponent
BIGNUM *p; // secret prime factor
BIGNUM *q; // secret prime factor
BIGNUM *dmp1; // d mod (p-1)
BIGNUM *dmq1; // d mod (q-1)
BIGNUM *iqmp; // q^-1 mod p
// ...
};
RSA

There are functions for ECDSA such as
int EC_KEY_set_private_key(EC_KEY *, const BIGNUM *)

and

int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *)
EC_POINT_point2bn(group, point, POINT_CONVERSION_UNCOMPRESSED, ppub_a,
ctx);

The POINT is used for the public key of EC_KEY no real document of how this
is used.

So simply I have a PEM which gives me a RSA* and want to use the public and
privates keys
for the ECDSA.

How?

--
View this message in context: http://old.nabble.com/EC_KEY-and-PEM_read_RSAPrivateKey-tp34377536p34377536.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org

Dave Thompson

2012-09-03 02:28:03 UTC

Permalink

Sent: Saturday, 01 September, 2012 12:53
Currently I am reading a PEM file which contains a test RSA key

<snip>

and create a SHA1 message digest
unsigned char *result=SHA1((unsigned char *)sample,
strlen(sample), md);

Aside: that only works for data that is a null-terminated C string.
Most modern crypto schemes work on any data.

and sign it
int rc= RSA_sign(NID_sha1, md, 20, sigret, &siglen, rsapriv);

Also most modern schemes don't sign just the raw hash of the data,
but some metadata as well. Your scheme probably won't interoperate
with nearly anything else.

Now I have explored also the use of the Elliptical Curve from the SHA1
but and there is always a but, the only example I could figure out is
using the key generation function
EC_KEY_generate_key(eckey); <====
I need to use my private and public key from the RSA PEM file?
Not sure how exactly to do this.

No. An RSA key is used for RSA, an EC key is used for EC algorithms
(ECDSA and ECDH). This is completely orthogonal to the hash -- you can
use ECDSA with SHA1, with SHA256 etc (SHA2), with SHA3 when it comes out,
with RIPEMD, even with MD5 (although that would probably weaken security
as there are no EC standard curves with equivalent bit strength that low).

Although you can generate an EC key ad-hoc, you then face the problem
how to distribute it securely to the people who will verify signatures
that use that key -- if those people are different from yourself.
Most applications of ECDSA and DSA, and RSA-signing, use a more-or-less
long-term key (anywhere from a month to several years). I.e. just as you
currently pre-generate an RSA keypair and save it in a file, and read in
the privatekey when you sign something, and distribute the publickey to
be used in verifying, you would pre-generate an EC key to a file, read in
the privatekey to sign, and distribute the publickey to verify.

The private would be used for the
ECDSA_do_sign(md, 20, eckey);
The public later is used for verify
ECDSA_do_verify(md, 20, sig, eckey);

Private and public EC keys, with no connection to any RSA key.

The RSA structure consists of several BIGNUM components. It
can contain

<snip>

Note this is the RSA structure in OpenSSL, which OpenSSL
chose for its convenience. Many other systems have separate
privatekey and publickey structures. Similarly OpenSSL uses
a single EC_KEY structure for both privatekey and publickey,
but many other systems don't.

There are functions for ECDSA such as
int EC_KEY_set_private_key(EC_KEY *, const BIGNUM *)
and
int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *)
EC_POINT_point2bn(group, point,
POINT_CONVERSION_UNCOMPRESSED, ppub_a,
ctx);
The POINT is used for the public key of EC_KEY no real
document of how this
is used.

The mathematics of EC are too complex for a response like this,
but in outline ECDSA and ECDH use the same logic as DSA and DH
but instead of the "sequence" of integers y = g^x mod p for a
large prime p and a generator (number) g, EC uses the "sequence"
of points on an elliptic curve, usually defined by reference
to one of about 20 standardized curves like "nist256p1" and
"sect283r1". Within such a curve/group, an EC privatekey is
a random integer up to the size (order) of the curve d,
and the corresponding publickey is a point computed as dG .

In both DSA and ECDSA, the privatekey is effectively mixed
with a nonce and message data (as noted above, usually hash
of data plus metadata) to produce a result that can be verified,
but not forged, using the publickey. For details see FIPS 186-3,
or wikipedia or something similar.

So simply I have a PEM which gives me a RSA* and want to use
the public and
privates keys
for the ECDSA.
How?

No how, no way, not ever. You need an EC key to do ECDSA.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org

redpath

2012-09-03 11:44:42 UTC

Permalink

Well thats what I thought it seems to have its own keys but I saw functions
such as setting the points and BIGNUM and thought maybe the PEM could be
used which uses 2048 RSA.

So essentially I would have a set of ECKEYS just for the ECDSA. There is a
public eckey and private eckey
and those are written to a file I assume but with what functions and also
how to use the functions when reading from a file of the keys (Best
Practices).

I see there is this output/input function as an Octet just for public

int i2o_ECPublicKey ( EC_KEY * key,
unsigned char ** out
)

EC_KEY* o2i_ECPublicKey ( EC_KEY ** key,
const unsigned char ** in,
long len
)

And the private keys seems to indicate a DER

EC_KEY* d2i_ECPrivateKey ( EC_KEY ** key,
const unsigned char ** in,
long len
)

I assume the output here is DER though it does not say it.

int i2d_ECPrivateKey ( EC_KEY * key,
unsigned char ** out
)

(1) So what is the Best Practices then after a key has been generated I can
save to a file (Best Practices, private and public files?) and then I can
read from a file a public or a private key (Best Practices?) Basically I am
interested in saving the private key for generation and handing out the
public for verifying.

As for the data that is SHA1, this was as a sample, we have META data LPIF
and so on, but simple examples are good. There is very little information on
the use of the ECKEY stuff so by me posting everyone can
share the info. Please state Best Practices for the generated keys and their
storage for ECKEY.

By the way this is where I go for doc on ECKEY

http://openssl.sourcearchive.com/documentation/1.0.0e-2/crypto_2ec_2ec_8h_a1a93f5739c093586ef83517b52b44a0c.html#a1a93f5739c093586ef83517b52b44a0c

Post by redpath
Currently I am reading a PEM file which contains a test RSA key
/**
*Load RSA Keys
**/
fp= fopen("test.pem", "rb");
if (fp==NULL){
printf("ERROR opening RSA Keys failed test.pem\n");
return 1;
}
rsapriv= (RSA *) PEM_read_RSAPrivateKey(fp,&rsapriv, (pem_password_cb
*)"password",NULL);
and create a SHA1 message digest
unsigned char *result=SHA1((unsigned char *)sample, strlen(sample), md);
and sign it
int rc= RSA_sign(NID_sha1, md, 20, sigret, &siglen, rsapriv);
Now I have explored also the use of the Elliptical Curve from the SHA1
but and there is always a but, the only example I could figure out is
using the key generation function
EC_KEY_generate_key(eckey); <====
I need to use my private and public key from the RSA PEM file?
Not sure how exactly to do this.
The private would be used for the
ECDSA_do_sign(md, 20, eckey);
The public later is used for verify
ECDSA_do_verify(md, 20, sig, eckey);
The RSA structure consists of several BIGNUM components. It can contain
struct
{
BIGNUM *n; // public modulus
BIGNUM *e; // public exponent
BIGNUM *d; // private exponent
BIGNUM *p; // secret prime factor
BIGNUM *q; // secret prime factor
BIGNUM *dmp1; // d mod (p-1)
BIGNUM *dmq1; // d mod (q-1)
BIGNUM *iqmp; // q^-1 mod p
// ...
};
RSA
There are functions for ECDSA such as
int EC_KEY_set_private_key(EC_KEY *, const BIGNUM *)
and
int EC_KEY_set_public_key(EC_KEY *, const EC_POINT *)
EC_POINT_point2bn(group, point, POINT_CONVERSION_UNCOMPRESSED, ppub_a,
ctx);
The POINT is used for the public key of EC_KEY no real document of how
this is used.
So simply I have a PEM which gives me a RSA* and want to use the public
and privates keys
for the ECDSA.
How?

--
View this message in context: http://old.nabble.com/EC_KEY-and-PEM_read_RSAPrivateKey-tp34377536p34382798.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org

Dave Thompson

2012-09-04 01:01:36 UTC

Permalink

Sent: Monday, 03 September, 2012 07:45
Well thats what I thought it seems to have its own keys but I
saw functions
such as setting the points and BIGNUM and thought maybe the
PEM could be
used which uses 2048 RSA.

PEM is a format used for many kinds of data in OpenSSL.
An RSA key, in PEM or DER format, can be used for RSA.
An EC key, in PEM or DER format, can be used for ECDSA/ECDH.

So essentially I would have a set of ECKEYS just for the
ECDSA. There is a
public eckey and private eckey
and those are written to a file I assume but with what
functions and also
how to use the functions when reading from a file of the keys (Best
Practices).

Yes. Or more specifically, one keypair.

I see there is this output/input function as an Octet just for public
int i2o_ECPublicKey ( EC_KEY * key,
unsigned char ** out
)
EC_KEY* o2i_ECPublicKey ( EC_KEY ** key,
const unsigned char ** in,
long len
)

As a series of octets (aka bytes). This actually formats or parses
only the public point, with the curve known. This is used in SSL
(or rather TLS) for online ECDH, because that transmits the curve
separately and only in one direction. For signing, where
verification is expected to be a different system and often later,
it is usually better to have the complete public key: parameters
(usually just identifier of standard curve) plus public point.

For RSA and DSA, OpenSSL supports public keys in (original)
per-algorithm formats named like {i2d,d2i}_RSAPublicKey_* and
PEM_{write,read}_*_RSAPublicKey, and in the generic PublicKeyInfo
format defined by X.509 named like {i2d,d2i}_RSA_PUBKEY_* and
PEM_{write,read}_*_RSA_PUBKEY, or that format using a generic
internal struct (EVP_PKEY) named just PUBKEY. For EC it does
only PUBKEY format, which is the more general and now preferred.

Note some of these names are not directly visible/searchable
in the *.h files because they are declared by C macros like
DECLARE_PEM_rw_cb(ECPrivateKey, EC_KEY)

And the private keys seems to indicate a DER
EC_KEY* d2i_ECPrivateKey ( EC_KEY ** key,
const unsigned char ** in,
long len
)
I assume the output here is DER though it does not say it.
int i2d_ECPrivateKey ( EC_KEY * key,
unsigned char ** out
)

Yes. i2d means internal-to-DER, and d2i means DER-to-internal.

Similarly, OpenSSL supports both per-algorithm formats using
names like RSAPrivateKey, and a generic format defined by PKCS#8
using the generic EVP_PKEY struct named PKCS8PrivateKey .
Since 1.0.0 the PKCS#8 format is considered preferred, but
the per-algorithm formats are still supported.

(1) So what is the Best Practices then after a key has been
generated I can
save to a file (Best Practices, private and public files?)
and then I can
read from a file a public or a private key (Best Practices?)
Basically I am
interested in saving the private key for generation and
handing out the
public for verifying.

For all of RSA, DSA/DH, and EC, OpenSSL uses a privatekey (or
keypair) format that includes the publickey information, so you
don't usually need to store a publickey by itself in a file
unless you distribute it that way. But it is more common to
distribute a publickey in an X.509 certificate which provides
integrity and (some) authenticity for it. Thus you typically
have a privatekey (or keypair) file, preferably encrypted if
there is any risk of an adversary seeing the file or a backup;
a Certificate Signing Request CSR which is generated from the
privatekey among other things and includes the publickey among
other things; and a certificate which is generated from the CSR
and contains the publickey among other things. Once you have the
cert you no longer need and can delete the CSR. Or if your reliers
trust your files enough, OpenSSL can generate a selfsigned cert
(containing publickey) in one step, with no CSR. A selfsigned cert
provides no authenticity in itself, but it does prevent tampering
and it piggybacks on the ability of most software to read certs.

By the way this is where I go for doc on ECKEY
http://openssl.sourcearchive.com/documentation/1.0.0e-2/crypto
_2ec_2ec_8h_a1a93f5739c093586ef83517b52b44a0c.html#a1a93f5739c

093586ef83517b52b44a0c
That appears to be derived from the source (presumably 1.0.0e).
I just use the source, and the man pages -- but the man page
coverage is not complete, and relatively newer parts like EC
seem on average to have poorer man page coverage.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org

redpath

2012-09-04 13:26:32 UTC

Permalink

Testing the i2d_ECPrivateKey to buffer and then back d2i_ECPrivateKey
and it fails. I checked the forum and one guy was passing NULL at least I
missed that mistake but thats not my issue.

Since I want to save the random generated key to use for private and
also I will do this for public. The public works though back and forth. So
where em I going wrong?

int main(int argc, char **args){
long avail;
FILE *fp;
EC_KEY *eckey = EC_KEY_new(); //allocate a EC_KEY for private
signing and public verify

int ret=
EC_KEY_set_group(eckey,EC_GROUP_new_by_curve_name(NID_secp192k1) );
//Select the curve name
if (!ret){
printf("error set group\n");
return 1;
}

if (!EC_KEY_generate_key(eckey)){ //Pick some random private and
public keys
printf("error generate key\n");
return 1;
}

/**
Okay now get that private key bytes
***/

len= i2d_ECPrivateKey(eckey,NULL);
printf("PRIVATE KEY LENGTH is %d \n",len);
buf = OPENSSL_malloc(len); // malloc(len);
memset(buf,0, len);
ret= i2d_ECPrivateKey(eckey,&buf);
if (!ret){
printf("Private key to DER failed now WHAT?\n");
return 1;
}

//dumpy them let see what it is out of curiosity

printf("PRIVATE KEY is success\n");
for (int i=0; i<len; i++)
printf("%X ",buf[i]);
printf("\n\n");

//Now lets see if this is valid and convert it back
//
eckey = d2i_ECPrivateKey(&eckey, (const unsigned char **)&buf, len);
if (eckey==NULL){
printf("going back failed DER to i \n");
return 1;
}

return 0;
}

Basically this is proof of the API and data will be package appropriately.
But I have to see if I can use this private key later and also use the
public key later
which are saved to validate construction can be performed.

--
View this message in context: http://old.nabble.com/EC_KEY-and-PEM_read_RSAPrivateKey-tp34377536p34387266.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org

Douglas E. Engert

2012-09-04 18:45:31 UTC

Permalink

Post by redpath
Testing the i2d_ECPrivateKey to buffer and then back d2i_ECPrivateKey
and it fails. I checked the forum and one guy was passing NULL at least I
missed that mistake but thats not my issue.
Since I want to save the random generated key to use for private and
also I will do this for public. The public works though back and forth. So
where em I going wrong?

Maybe you should look at the OpenSSL apps/ec.c and the apps/ecparam.c
as examples. the ecparam.c can generate a key and write it out using either:

i = i2d_ECPrivateKey_bio(out, eckey);
or
i = PEM_write_bio_ECPrivateKey(out, eckey, NULL,
NULL, 0, NULL, NULL);

openssl ecparam -genkey -name prime256v1

Post by redpath
int main(int argc, char **args){
long avail;
FILE *fp;
EC_KEY *eckey = EC_KEY_new(); //allocate a EC_KEY for private
signing and public verify
int ret=
EC_KEY_set_group(eckey,EC_GROUP_new_by_curve_name(NID_secp192k1) );
//Select the curve name
if (!ret){
printf("error set group\n");
return 1;
}
if (!EC_KEY_generate_key(eckey)){ //Pick some random private and
public keys
printf("error generate key\n");
return 1;
}
/**
Okay now get that private key bytes
***/
len= i2d_ECPrivateKey(eckey,NULL);
printf("PRIVATE KEY LENGTH is %d \n",len);
buf = OPENSSL_malloc(len); // malloc(len);
memset(buf,0, len);
ret= i2d_ECPrivateKey(eckey,&buf);
if (!ret){
printf("Private key to DER failed now WHAT?\n");
return 1;
}
//dumpy them let see what it is out of curiosity
printf("PRIVATE KEY is success\n");
for (int i=0; i<len; i++)
printf("%X ",buf[i]);
printf("\n\n");
//Now lets see if this is valid and convert it back
//
eckey = d2i_ECPrivateKey(&eckey, (const unsigned char **)&buf, len);
if (eckey==NULL){
printf("going back failed DER to i \n");
return 1;
}
return 0;
}
Basically this is proof of the API and data will be package appropriately.
But I have to see if I can use this private key later and also use the
public key later
which are saved to validate construction can be performed.

--
Douglas E. Engert <***@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org

Dr. Stephen Henson

2012-09-04 20:25:04 UTC

Permalink

Post by redpath
Since I want to save the random generated key to use for private and
also I will do this for public. The public works though back and forth. So
where em I going wrong?
len= i2d_ECPrivateKey(eckey,NULL);
printf("PRIVATE KEY LENGTH is %d \n",len);
buf = OPENSSL_malloc(len); // malloc(len);
memset(buf,0, len);
ret= i2d_ECPrivateKey(eckey,&buf);
if (!ret){
printf("Private key to DER failed now WHAT?\n");
return 1;
}

http://www.openssl.org/support/faq.html#PROG3

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org

Dave Thompson

2012-09-05 00:42:23 UTC

Permalink

Sent: Tuesday, 04 September, 2012 09:27
Testing the i2d_ECPrivateKey to buffer and then back d2i_ECPrivateKey
and it fails. I checked the forum and one guy was passing NULL at least I
missed that mistake but thats not my issue.
Since I want to save the random generated key to use for private and
also I will do this for public. The public works though back
and forth. So where em I going wrong?
int main(int argc, char **args){
long avail;
FILE *fp;
EC_KEY *eckey = EC_KEY_new(); //allocate a EC_KEY for private
signing and public verify
int ret=
EC_KEY_set_group(eckey,EC_GROUP_new_by_curve_name(NID_secp192k1) );
//Select the curve name
if (!ret){
printf("error set group\n");
return 1;
}

Whenever an OpenSSL routine returns an error indication (0 for boolean,
<0 for count-like, and null for pointer) you should look at the error
queue: http://www.openssl.org/support/faq.html#PROG6
(Although this particular call shouldn't fail.)

if (!EC_KEY_generate_key(eckey)){ //Pick some random private and
public keys
printf("error generate key\n");
return 1;
}
/**
Okay now get that private key bytes
***/
len= i2d_ECPrivateKey(eckey,NULL);
printf("PRIVATE KEY LENGTH is %d \n",len);
buf = OPENSSL_malloc(len); // malloc(len);
memset(buf,0, len);
ret= i2d_ECPrivateKey(eckey,&buf);
if (!ret){
printf("Private key to DER failed now WHAT?\n");
return 1;
}

Aside: memset isn't needed.

//dumpy them let see what it is out of curiosity
printf("PRIVATE KEY is success\n");
for (int i=0; i<len; i++)
printf("%X ",buf[i]);
printf("\n\n");

Aside: fixed-width %02X (or %02x) is more usual.
But buf is wrong at this point, see below.

//Now lets see if this is valid and convert it back
//
eckey = d2i_ECPrivateKey(&eckey, (const unsigned char
**)&buf, len);
if (eckey==NULL){
printf("going back failed DER to i \n");
return 1;
}

i2d_anything(,&ptr) moves the pointer past the output data,
so at this point buf is pointing at garbage. To do d2i,i2d
in the same stretch of code (which is unusual) you need to
save the original pointer value and (re)use that.

return 0;
}

There are no i2d/d2i for ECPublicKey, but the similar i2o/o2i
behave in the same fashion and should have given you the same
problem. Although there is less redundancy in the publickey
encoded value (only a few bits in the flag byte, everything else
is just a bignum and any value appears valid) so maybe you just
didn't notice the error. If the output and input are in different
routines, or different programs, as is their normal use, you will
use different pointer variable and they work.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org