Well here is one I can answer. First I generate the ECDSA keys
This list of commands will help you
Show the type of curves:
openssl ecparam -list_curves
Use the secp224r1 curve
openssl ecparam -out ec_key.pem -name secp224r1 -genkey
Generate the certificate x509
Your certificate will be in ecdsapublic.x509 and
the corresponding private key will be in ecdsapriv.pem.
openssl req -newkey ec:ec_key.pem -x509 -nodes -days 365 -keyout
ecdsapriv.pem -out ecdsapublic.x509
addition commands
openssl req -new -key ecdsapriv.pem -inform pem -x509 -days 3650 -out
ecdsapriv.x509
openssl x509 -in ecdsapriv.x509 -noout -text
Then I have code to sign something reading a file also the compile command
is below.
Platform: Mac OSX 10.7
cc -o signECDSA -Wno-deprecated-declarations signECDSA.c -lcrypto
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
/***
* Get the data form a file and return a malloced buffer and size.
**/
unsigned char *getdata(char *filename, int *length){
FILE *fp =fopen(filename, "rb");
long avail;
*length=0;
if (fp==(FILE *)0){
printf("Get Data JPG %s File error %d\n",filename,errno);
return NULL;
}
fseek(fp, 0L, SEEK_END);
avail = ftell(fp);
fseek(fp, 0L, SEEK_SET);
unsigned char *b= (unsigned char *) malloc(avail+1);
if (fread (b,1,avail,fp)!=avail){
printf("INPUT JPG fail %s read error %d\n",filename, errno);
return NULL;
}
b[avail]=0; // added one byte for debug if you use a text file
*length=(int)avail; // but length returned is true length of data
fclose(fp);
return b;
}
/**
* Simple help
*/
void help(){
printf("\n");
printf("Usage <signfile> <private PEM key>\n");
printf("eg:\n");
printf("signECDSA myfile.doc ecdsapriv.pem\n\n");
}
unsigned char *sha256(char *data, int length)
{
static unsigned char hash[SHA256_DIGEST_LENGTH];
printf("******SHA2 digest follows length=%d:\n",length);
SHA256_CTX sha256;
SHA256_Init(&sha256);
SHA256_Update(&sha256, data, length);
SHA256_Final(hash, &sha256);
int i = 0;
for(i = 0; i < SHA256_DIGEST_LENGTH; i++)
printf("%02x", hash[i]);
printf("\n");
return hash;
}
int main(int argc, char **args){
char buffer[256];
long avail;
int len;
unsigned char *b,*m;
FILE *fp;
int ret;
EC_KEY *peckey; //I want to load private
int curvetype= NID_secp224r1; //FYI redpath
char *curvename= "NID_secp224r1";
if (argc<3){
help();
return 0;
}
printf("\n");
if ( (m= getdata(args[1],&len))==NULL)
return 1;
printf("\nUSING CURVENAME: %s\n",curvename);
printf("INPUT file %s length %d \n",args[1],len);
/***
Make a digest from Data
****/
unsigned char *result=sha256((char *)m,len);
if (result==NULL){
printf("SHA1 failed to create message digest\n");
return 1;
}
//private area
fp =fopen(args[2], "rb");
EVP_PKEY *pevpkey= PEM_read_PrivateKey(fp, &pevpkey, NULL, NULL);
if (pevpkey==NULL){
printf("PEM for read private failed\n");
return 1;
}
else
printf("PEM for read private SUCCESS\n");
peckey= EVP_PKEY_get1_EC_KEY(pevpkey);
if (peckey==NULL){
printf("ECKEY private failed\n");
return 1;
}
else
printf("got EC_KEY private success\n");
ret= EC_KEY_set_group(peckey,EC_GROUP_new_by_curve_name(curvetype) );
if (!ret){
printf("error set group\n");
return 1;
}
printf("set group ret = %d \n",ret);
unsigned int siglen = ECDSA_size(peckey);
printf("Max signature length is %d \n",siglen);
siglen = ECDSA_size(peckey);
unsigned char *ptr = OPENSSL_malloc(siglen);
unsigned char *save= ptr;
ECDSA_SIG *sig;
ret= ECDSA_sign(0 ,result, SHA256_DIGEST_LENGTH, ptr, &siglen, peckey);
//Do sign it dude
if (!ret){
printf("ERROR signing null\n");
return 1;
}
printf(" Signature success \n");
printf("Signature length is %d \n",siglen);
/**
* Write out Digital Signature File
*
***/
strcpy(buffer,args[1]);
strcat(buffer,".ecdsa");
fp = fopen(buffer,"wb");
fwrite(save, 1, siglen, fp);
fclose(fp);
printf("OUTPUT signature file is %s\n\n",buffer);
return 0;
}
Then I have code to verify the file against the original that was signed
Platform: Mac OSX 10.7
cc -o verifyECDSA -Wno-deprecated-declarations verifyECDSA.c -lcrypto
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
/***
* Get the data form a file and return a malloced buffer and size.
**/
unsigned char *getdata(char *filename, int *length){
FILE *fp =fopen(filename, "rb");
long avail;
*length=0;
if (fp==(FILE *)0){
printf("Get Data JPG %s File error %d\n",filename,errno);
return NULL;
}
fseek(fp, 0L, SEEK_END);
avail = ftell(fp);
fseek(fp, 0L, SEEK_SET);
unsigned char *b= (unsigned char *) malloc(avail+1);
if (fread (b,1,avail,fp)!=avail){
printf("INPUT JPG fail %s read error %d\n",filename, errno);
return NULL;
}
b[avail]=0; // added one byte for debug if you use a text file
*length=(int)avail; // but length returned is true length of data
fclose(fp);
return b;
}
/**
* Simple help
*/
void help(){
printf("\n");
printf("Usage <filename> <signature> <X509 ECkey certificate>\n");
printf("eg:\n");
printf("verifyECDSA myfile.doc myfile.doc.signed ecdsapublic.x509
\n\n");
}
unsigned char *sha256(char *data, int length)
{
static unsigned char hash[SHA256_DIGEST_LENGTH];
printf("******SHA2 digest follows length=%d:\n",length);
SHA256_CTX sha256;
SHA256_Init(&sha256);
SHA256_Update(&sha256, data, length);
SHA256_Final(hash, &sha256);
int i = 0;
for(i = 0; i < SHA256_DIGEST_LENGTH; i++)
printf("%02x", hash[i]);
printf("\n");
return hash;
}
int main(int argc, char **args){
char buffer[256];
long avail;
int len,siglen;
unsigned char *m;
unsigned char *sig;
FILE *fp;
int ret;
EC_KEY *pubeckey; //I want to load private
int curvetype= NID_secp224r1; //FYI redpath
char *curvename= "NID_secp224r1";
if (argc<4){
help();
return 0;
}
printf("\nUSING CURVENAME: %s\n",curvename);
printf("\n");
if ( (m= getdata(args[1],&len))==NULL)
return 1;
printf("INPUT file %s length %d \n",args[1],len);
/***
Make a digest from Data
****/
unsigned char *result=sha256((char *)m,len);
if (result==NULL){
printf("SHA1 failed to create message digest\n");
return 1;
}
printf("open signature file %s \n",args[2]);
if ( (sig= getdata(args[2],&siglen))==NULL)
return 1;
//Get X509
printf("open X509 file [%s]\n",args[3]);
fp =fopen(args[3], "rb");
if (fp==NULL){
printf("null file open %s\n",args[3]);
exit(1);
}
X509 *x509= PEM_read_X509(fp,&x509, NULL, NULL); //its public there is no
password
if (x509==NULL){
printf("X509 is null \n");
}else
printf("open X509 success\n");
fclose(fp);
EVP_PKEY *evpkey = X509_get_pubkey(x509);
pubeckey= EVP_PKEY_get1_EC_KEY(evpkey);
if (pubeckey==NULL)
printf("ECKEY is null\n");
else
printf("got EC_KEY PUBLIC\n");
ret= EC_KEY_set_group(pubeckey,EC_GROUP_new_by_curve_name(curvetype) );
if (!ret){
printf("error set group\n");
return 1;
}
printf("set group ret = %d \n",ret);
printf("attempt to verify\n");
ret = ECDSA_verify(0, result,SHA256_DIGEST_LENGTH, sig, siglen, pubeckey);
printf("verify %d \n",ret);
if (ret == -1){
printf("signature error in verify\n");
}
else if (ret == 0){
printf(" incorrect signature \n");
}
else /* ret == 1 */{
printf("signature ok \n");
}
return 0;
}
Nothing like real code to work with.
I never did get my How to package a signature in a PKCS7 file,
I abstracted code but yet not real code answer that worked.
--
View this message in context:
http://openssl.6102.n7.nabble.com/Help-in-loading-EC-KEY-tp42700p42706.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
