genpkey usage for openssl-1.0.1k on openSUSE-13.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: openssl-users On Behalf Of openssl at lists.killian.com
> Sent: Wednesday, February 18, 2015 13:26

> I noticed that openssl(1) says that various things have been superseded by
> genpkey, so I tried changing my scripts to use it. It works fine for RSA,
but the
> man page is not very helpful on EC. I tried
> 
>     openssl genpkey -out key.new -algorithm EC -pkeyopt
> ec_paramgen_curve:secp384r1
> 
> and got
> 
>     parameter setting error
>     139638314907280:error:06089094:digital envelope
> routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404:
<snip>

genpkey has a standard idea, across all algorithms that have parameters 
(which RSA does not), to generate parameters and key(s) as separate 
steps with a file in between. For DSA and DH this is good; you may want 
to generate your own params, or you may want to use existing ones 
(in an existing file) e.g. Oakley or SSH-non-GEX. For EC it makes less
sense, 
as generating your own curve is complicated (OpenSSL certainly doesn't do
it) 
and in practice everyone* uses the named curves. Nonetheless you still do:

openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:x >pfile
openssl genpkey -paramfile pfile >keyfile 

Depending on your OS and shell you may be able to combine these like
openssl genpkey -genparam | openssl genpkey -paramfile /dev/fd/0
or openssl genpkey -paramfile <<<$(openssl genpkey -genparam)

* Well, everybody except the crowd around Dan Bernstein, and they use 
non-Weierstrauss curves that OpenSSL can't even represent (now?).




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux