On Fri, Jan 13, 2017 at 01:06:10PM -0500, Ken Goldman wrote:
> I gather now that there are two -pkeyopt:
Yes.
> ec_paramgen_curve
> ec_param_enc
>
> I tried prime256v1 for each, and also named_curve and explicit
> for the second, in many combinations.
Easier to read the documentation and use the appropriate value.
> It's also not 100% clear whether I specify -pkeyopt each time, or once and
> then pairs of opt:value.
Each time.
> In all combinations, I now get:
>
> openssl genpkey -out cakeyecc.pem -outform pem -pass pass:rrrr -aes256
> -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 ec_param_enc:explicit
> -text
The explicit "-outform PEM" argument is not needed, but harmless:
$ openssl genpkey -out cakeyecc.pem -outform PEM -pass pass:rrrr \
-aes256 -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 \
-pkeyopt ec_param_enc:named_curve -text
$ cat cakeyecc.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAhn8FHW0643QQICCAAw
HQYJYIZIAWUDBAEqBBCtTYP4h4/2PTEfN1fVJnpHBIGQ3RHX/KUQwncg9MK5aF7H
p0qQplxOKtfCOYp0iqx15IQCEv5N4SXIIKnRjvaKPHgFQN0d8x1Et0pBOaYLqIre
zwch3VGRvvHH//qhXiYGay9xzZXraGwFFatNt9R8gyBKR7zMn/BQVWUtA8woCB//
D/R9GGYJVr3afeay4Vr4U/kHtRUkTrkGZxRZvM2EIAsr
-----END ENCRYPTED PRIVATE KEY-----
Private-Key: (256 bit)
priv:
39:32:f7:c6:cf:fa:57:7f:9f:b0:d7:87:92:c0:93:
36:33:9e:19:75:0c:58:f7:a0:ec:29:01:1f:c2:17:
6a:9f
pub:
04:a2:2a:47:02:a3:ed:6c:e0:af:85:9f:f3:9e:f9:
e7:e4:19:5a:49:05:09:2e:1e:40:d8:89:88:5a:2c:
fc:dc:59:5b:27:9f:9d:00:78:d7:3d:16:68:b9:81:
42:db:db:02:98:42:08:d9:2f:6f:e5:1d:a4:70:4f:
1a:4e:2b:69:2f
ASN1 OID: prime256v1
NIST CURVE: P-256
As you can see the combination of "-aes256" and "-text" is unwise.
The "-text" form is not encrypted.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
