RE: Help in loading EC_KEY

Thu, 13 Dec 2012 16:30:42 -0800 

> From: owner-openssl-...@openssl.org On Behalf Of redpath
> Sent: Thursday, 13 December, 2012 10:00

> This list of commands will help you

> openssl ecparam -out ec_key.pem -name secp224r1 -genkey 
> 
> Generate the certificate x509
> Your certificate will be in ecdsapublic.x509 and 
> the corresponding private key will be in ecdsapriv.pem.
> 
>    openssl req -newkey ec:ec_key.pem -x509 -nodes -days 365 -keyout
> ecdsapriv.pem -out ecdsapublic.x509
> 
This is redundant. ecparam -genkey already generated a key.
Either use that key, maybe renamed, as in the form just below, 
or omit -genkey from the ecparam.
> 
> addition commands
>    openssl req -new -key ecdsapriv.pem -inform pem -x509 
> -days 3650 -out ecdsapriv.x509

There is no significant difference between a cert created for 
a new key with -newkey -x509 or one created for an existing key 
with -new -x509, so naming it "priv" instead of "public" is 
confusing and misleading. Since the cert is really the content 
not the format -- certs can be either pem or der -- I would 
instead name it ecdsa_cert.pem or ecdsa_x509.pem .

>  Platform: Mac OSX 10.7 
> 
>     cc -o signECDSA -Wno-deprecated-declarations signECDSA.c -lcrypto

<snip: read file, compute sha256>

>      fp =fopen(args[2], "rb");
>      EVP_PKEY *pevpkey= PEM_read_PrivateKey(fp, &pevpkey, NULL, NULL);
>      if (pevpkey==NULL){
<snip>
>      peckey= EVP_PKEY_get1_EC_KEY(pevpkey); 
>      if (peckey==NULL){
<snip>
>     ret= EC_KEY_set_group(peckey,EC_GROUP_new_by_curve_name(curvetype) );

The key already identifies (or contains, if explicit) the group.
Setting it again to the correct value is a waste of time, 
and setting it to a wrong value would screw it up totally.
If for some reason you want to ensure a key uses a particular 
(named) group, *get* the "name" (really NID) and compare it.

<snip>

>     cc -o verifyECDSA -Wno-deprecated-declarations 
> verifyECDSA.c -lcrypto
> 
<snip similar except publickey from cert>

Minor point:

>     unsigned char *b= (unsigned char *) malloc(avail+1);
>     if (fread (b,1,avail,fp)!=avail){

You don't need to cast the return of malloc in correct C 
but you should check for failure (null) before using it.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to