Re: ECC keypair generation with password
> From: Viktor Dukhovni > > > > In the script, I used this: > > > > openssl ec -aes128 -passout pass: -in tmpecprivkeydec.pem > -out tmpecprivkey.pem > > I try to avoid putting sensitive information in command-line arguments. > > If you're using "bash" (which has "printf" as a built-in) you could use: > >-passout file:<(printf "\n") > > which does not create any processes with the password in the argument vector. > Example: > > $ openssl enc -aes128 -pass file:<(printf "\n") < enc -d -aes128 -pass file:<(printf "\n") > > foobar > > EOF > foobar Understood, but this is just for a regression test script. Thanks.
Re: ECC keypair generation with password
> On Mar 25, 2019, at 1:53 PM, Kenneth Goldman wrote: > > > $ openssl ec -aes128 < > This was the piece I was missing. Thanks. > > In the script, I used this: > > openssl ec -aes128 -passout pass: -in tmpecprivkeydec.pem -out > tmpecprivkey.pem I try to avoid putting sensitive information in command-line arguments. If you're using "bash" (which has "printf" as a built-in) you could use: -passout file:<(printf "\n") which does not create any processes with the password in the argument vector. Example: $ openssl enc -aes128 -pass file:<(printf "\n") < foobar > EOF foobar -- Viktor.
RE: ECC keypair generation with password
> From: Michael Wojcik > Sent: Thursday, February 28, 2019 15:55 > > Have you tried just changing the PEM header and footer? ... Whoops. Just saw Viktor's response. Never mind. -- Michael Wojcik Distinguished Engineer, Micro Focus
RE: ECC keypair generation with password
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Ken Goldman > Sent: Thursday, February 28, 2019 15:06 > > I've been using this command to generate a password protected ECC keypair. > > openssl ecparam -name prime256v1 -genkey -noout | openssl pkey -aes256 > -passout pass:passwd -text > tmpecprivkey.pem >... > > Now I must send the PEM file to a crypto library that does not support > -BEGIN ENCRYPTED PRIVATE KEY- > > It expects > -BEGIN EC PRIVATE KEY- > > Its parser does accept a password. > > Is there a way to generate that PEM file? I.e. > > A password protected ECC keypair in -BEGIN EC PRIVATE KEY- format You don't say what version of OpenSSL you're using. Have you tried just changing the PEM header and footer? OpenSSL doesn't like that (it expects an unencrypted EC keypair for "EC PRIVATE KEY"), but maybe this other library does. Are you sure the other library is expecting an encrypted key? Have you tried with an unencrypted one, but using the "EC PRIVATE KEY" header/footer? -- Michael Wojcik Distinguished Engineer, Micro Focus
Re: ECC keypair generation with password
On Thu, Feb 28, 2019 at 03:05:43PM -0500, Ken Goldman wrote: > The output is a > -BEGIN ENCRYPTED PRIVATE KEY- This is PKCS8, which is the non-legacy private key format that should be used by modern libraries. This is for example output by: $ openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -aes128 Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -BEGIN ENCRYPTED PRIVATE KEY- MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAgWnV30Y37QvAICCAAw DAYIKoZIhvcNAgkFADAdBglghkgBZQMEAQIEEMx8xGM1W+W4JdPET0xj0MAEgZAp 9XvYDcsnokrXBoyWqFF73VeT/4ALgS+StQQK/84qzqjOKSUeteLiDoHkyH2GUYue WILJh+3MoqRRGyGPGaznI7yT2fCSUJNGZsvEDd8ILYGpvkS8ssfa/WXWZ0d4jwXr VE05VWx424ospaKPz8E5wsvpfuqB3/CxFnD0WUTa1cY/oLkwAUem/ps4iMWoIP8= -END ENCRYPTED PRIVATE KEY- [ The password is "sesame", if you want to test using the above key. ] > Now I must send the PEM file to a crypto library that does not support > > It expects > -BEGIN EC PRIVATE KEY- That's the legacy algorithm-specific format, your library is rather dated. > Its parser does accept a password. > > Is there a way to generate that PEM file? I.e. $ openssl ec -aes128 < -BEGIN ENCRYPTED PRIVATE KEY- > MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAgWnV30Y37QvAICCAAw > DAYIKoZIhvcNAgkFADAdBglghkgBZQMEAQIEEMx8xGM1W+W4JdPET0xj0MAEgZAp > 9XvYDcsnokrXBoyWqFF73VeT/4ALgS+StQQK/84qzqjOKSUeteLiDoHkyH2GUYue > WILJh+3MoqRRGyGPGaznI7yT2fCSUJNGZsvEDd8ILYGpvkS8ssfa/WXWZ0d4jwXr > VE05VWx424ospaKPz8E5wsvpfuqB3/CxFnD0WUTa1cY/oLkwAUem/ps4iMWoIP8= > -END ENCRYPTED PRIVATE KEY- > EOF read EC key Enter PEM pass phrase: writing EC key Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -BEGIN EC PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,28ADEB740F62A9F41B2AAE09B53CD433 WbSfKUDAWwz8/6mAH9fuiBbCHrNwb7hnoRz7rfaoJ9QU5VzxZtwuZhGnAw/nKfsy b/GHtWa4ghtHf9QofQWuJukeMrC2/KAO+8K1qRsUtcH3KFsaVLcKrDk9plQ2lGdr qh3IX8vzPi+YZbdtquSse84g5GNMSE/Urv2bGdZH278= -END EC PRIVATE KEY- [ The password is still "sesame" ] -- Viktor.
ECC keypair generation with password
I've been using this command to generate a password protected ECC keypair. openssl ecparam -name prime256v1 -genkey -noout | openssl pkey -aes256 -passout pass:passwd -text > tmpecprivkey.pem The output is a -BEGIN ENCRYPTED PRIVATE KEY- which I parsed using PEM_read_PrivateKey(pemKeyFile, NULL, NULL, (void *)password); *ecKey = EVP_PKEY_get1_EC_KEY(evpPkey); privateKeyBn = EC_KEY_get0_private_key(ecKey); Now I must send the PEM file to a crypto library that does not support -BEGIN ENCRYPTED PRIVATE KEY- It expects -BEGIN EC PRIVATE KEY- Its parser does accept a password. Is there a way to generate that PEM file? I.e. A password protected ECC keypair in -BEGIN EC PRIVATE KEY- format/