On Fri, Jan 13, 2017 at 01:49:14PM -0500, Ken Goldman wrote: > On 1/13/2017 1:21 PM, Viktor Dukhovni wrote: > > On Fri, Jan 13, 2017 at 06:18:51PM +0000, Viktor Dukhovni wrote: > > Still no success. I think this is exactly what you suggested, and something > I had already tried. > > openssl genpkey -out cakeyecc.pem -outform PEM -pass pass:rrrr -aes256 > -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt > ec_param_enc:named_curve -text > > parameter setting error > 139854491113288:error:06089094:digital envelope > routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404: In that case, your OpenSSL library is broken, or was built without EC support. Perhaps you're running the wrong openssl(1) binary. > https://www.openssl.org/docs/man1.0.2/apps/genpkey.html > > Could it be that 1.0.2 doesn't support creation of EC keys? EC key creation is supported in 1.0.2: $ openssl version -a; openssl genpkey -out cakeyecc.pem -outform PEM -pass pass:rrrr -aes256 -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -text; cat cakeyecc.pem OpenSSL 1.0.2j 26 Sep 2016 built on: reproducible build, date unspecified platform: NetBSD-x86_64 options: bn(64,64) md2(int) rc4(8x,int) des(idx,cisc,16,int) blowfish(ptr2) compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H -O2 -I/usr/include -Wa,--noexecstack -DTERMIOS -DL_ENDIAN -DMD32_REG_T=int -O2 -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM OPENSSLDIR: "/usr/pkg/etc/openssl" -----BEGIN ENCRYPTED PRIVATE KEY----- MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAj2P6Eun6xu+QICCAAw HQYJYIZIAWUDBAEqBBCLkrjwPqdzyGUnq+FZmAXKBIGQYc6Ug3yc5JbhkUmNmtPm 8An/0hE1ErvedRQFk0yyfUTiX/cHcuTkm5S5ZJlE4jtDJRidc3TxX59yTa6blZbp EilWzrACBO0POWeUsN0SnYAwHfaQ7dRKfoK0xmZJMRclzd9C62f64e/0Q2v1xdvj oMyg7aiK2fa1DdXdkDeB0j3Cnpo4x24ZY1De870LOkd/ -----END ENCRYPTED PRIVATE KEY----- Private-Key: (256 bit) priv: 63:c2:97:81:a3:bc:4f:10:cc:ca:68:70:bf:a3:fa: da:e3:fd:7d:d2:9f:88:b9:4b:bf:11:ac:4b:9c:b5: d4:c2 pub: 04:96:5d:78:a2:7b:60:b3:9c:67:7d:d7:19:68:4e: 4e:7b:a4:75:46:31:b1:f6:76:28:86:fe:9a:56:9c: bc:3c:4b:37:0b:3b:0c:24:ed:2b:d1:8f:85:92:0f: 6e:48:9d:49:2c:7b:e7:7c:df:94:8a:9d:4b:f8:bc: 25:82:cb:50:22 ASN1 OID: prime256v1 NIST CURVE: P-256 The documentation of genpkey(1) was improved in 1.1.0, perhaps some of the improvements should be backported. Pull requests welcome. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
