EC private key generation problem
Hi, On windows 7 with OpenSSL 1.0.1e, I get the following output: $ openssl.exe genpkey -out priv.pem -aes128 -algorithm EC -pkeyopt ec_paramgen_curve:secp224r1 parameter setting error 3512:error:06089094:digital envelope routines:EVP_PKEY_CTX_ctrl:invalid operation:.\crypto\evp\pmeth_lib.c:404 Is this a bug? what's the correct commandline? Note: I sent this before and after subscription. Sorry if multiple copies have arrived..
Re: EC private key generation problem
On Fri, Nov 08, 2013, Serhat Sevki Dincer wrote: Hi, On windows 7 with OpenSSL 1.0.1e, I get the following output: $ openssl.exe genpkey -out priv.pem -aes128 -algorithm EC -pkeyopt ec_paramgen_curve:secp224r1 parameter setting error 3512:error:06089094:digital envelope routines:EVP_PKEY_CTX_ctrl:invalid operation:.\crypto\evp\pmeth_lib.c:404 Is this a bug? what's the correct commandline? It's more a missing feature than a bug. For OpenSSL 1.0.1 and below you have to generate parameters for EC in the same way as DSA/DH. For exampple: openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:secp224r1 -out ecp.pem openssl genpkey -paramfile ecp.pem Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: EC private key generation problem
On Fri, Nov 08, 2013 at 01:37:21PM +0200, Serhat Sevki Dincer wrote: On windows 7 with OpenSSL 1.0.1e, I get the following output: $ openssl.exe genpkey -out priv.pem -aes128 -algorithm EC -pkeyopt ec_paramgen_curve:secp224r1 parameter setting error 3512:error:06089094:digital envelope routines:EVP_PKEY_CTX_ctrl:invalid operation:.\crypto\evp\pmeth_lib.c:404 Is this a bug? what's the correct commandline? This is a bug, it is fixed on the OpenSSL master branch. The fix for 1.0.1e is to apply the same change. diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h index dfe8710..50cf8c1 100644 --- a/crypto/ec/ec.h +++ b/crypto/ec/ec.h @@ -960,7 +960,8 @@ int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off); #endif #define EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_PARAMGEN, \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_PARAMGEN|EVP_PKEY_OP_KEYGEN, \ EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, nid, NULL) If someone on OpenSSL team adopts the above, they may as well also apply the below fix which silences a compiler warning about a potentially uninitialized variable 'i' diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 5a421fc..f562181 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -477,13 +477,12 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, EVP_CIPHER_CTX_cleanup(ctx); OPENSSL_cleanse((char *)buf,sizeof(buf)); OPENSSL_cleanse((char *)key,sizeof(key)); - j+=i; if (!o) { PEMerr(PEM_F_PEM_DO_HEADER,PEM_R_BAD_DECRYPT); return(0); } - *plen=j; + *plen=j + i; return(1); } -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: EC private key generation problem
On Fri, Nov 08, 2013 at 01:37:21PM +0200, Serhat Sevki Dincer wrote: what's the correct commandline? You can alternatively generate ec keys with ecparam(1): $ umask 077 $ openssl ecparam -genkey -name prime256v1 | openssl pkey -aes128 -out priv.pem -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org