EC private key generation problem
Hi, On windows 7 with OpenSSL 1.0.1e, I get the following output: $ openssl.exe genpkey -out priv.pem -aes128 -algorithm EC -pkeyopt ec_paramgen_curve:secp224r1 parameter setting error 3512:error:06089094:digital envelope routines:EVP_PKEY_CTX_ctrl:invalid operation:.\crypto\evp\pmeth_lib.c:404 Is this a bug? what's the correct commandline? Note: I sent this before and after subscription. Sorry if multiple copies have arrived..
Re: EC private key generation problem
On Fri, Nov 08, 2013, Serhat Sevki Dincer wrote: Hi, On windows 7 with OpenSSL 1.0.1e, I get the following output: $ openssl.exe genpkey -out priv.pem -aes128 -algorithm EC -pkeyopt ec_paramgen_curve:secp224r1 parameter setting error 3512:error:06089094:digital envelope routines:EVP_PKEY_CTX_ctrl:invalid operation:.\crypto\evp\pmeth_lib.c:404 Is this a bug? what's the correct commandline? It's more a missing feature than a bug. For OpenSSL 1.0.1 and below you have to generate parameters for EC in the same way as DSA/DH. For exampple: openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:secp224r1 -out ecp.pem openssl genpkey -paramfile ecp.pem Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: EC private key generation problem
On Fri, Nov 08, 2013 at 01:37:21PM +0200, Serhat Sevki Dincer wrote:
On windows 7 with OpenSSL 1.0.1e, I get the following output:
$ openssl.exe genpkey -out priv.pem -aes128 -algorithm EC -pkeyopt
ec_paramgen_curve:secp224r1
parameter setting error 3512:error:06089094:digital envelope
routines:EVP_PKEY_CTX_ctrl:invalid operation:.\crypto\evp\pmeth_lib.c:404
Is this a bug? what's the correct commandline?
This is a bug, it is fixed on the OpenSSL master branch. The fix for
1.0.1e is to apply the same change.
diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
index dfe8710..50cf8c1 100644
--- a/crypto/ec/ec.h
+++ b/crypto/ec/ec.h
@@ -960,7 +960,8 @@ int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off);
#endif
#define EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid) \
- EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_PARAMGEN, \
+ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \
+ EVP_PKEY_OP_PARAMGEN|EVP_PKEY_OP_KEYGEN, \
EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, nid, NULL)
If someone on OpenSSL team adopts the above, they may as well also
apply the below fix which silences a compiler warning about a
potentially uninitialized variable 'i'
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 5a421fc..f562181 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -477,13 +477,12 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char
*data, long *plen,
EVP_CIPHER_CTX_cleanup(ctx);
OPENSSL_cleanse((char *)buf,sizeof(buf));
OPENSSL_cleanse((char *)key,sizeof(key));
- j+=i;
if (!o)
{
PEMerr(PEM_F_PEM_DO_HEADER,PEM_R_BAD_DECRYPT);
return(0);
}
- *plen=j;
+ *plen=j + i;
return(1);
}
--
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: EC private key generation problem
On Fri, Nov 08, 2013 at 01:37:21PM +0200, Serhat Sevki Dincer wrote: what's the correct commandline? You can alternatively generate ec keys with ecparam(1): $ umask 077 $ openssl ecparam -genkey -name prime256v1 | openssl pkey -aes128 -out priv.pem -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
