On Fri, Jan 13, 2017 at 03:26:08PM -0500, Ken Goldman wrote:
> On 1/13/2017 2:02 PM, Viktor Dukhovni wrote:
> > > parameter setting error
> > > 139854491113288:error:06089094:digital envelope
> > > routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404:
> >
> > In that case, your OpenSSL library is broken, or was built without
> > EC support. Perhaps you're running the wrong openssl(1) binary.
>
> Perhaps++. The command ran on a 1.0.2 platform.
>
> > EC key creation is supported in 1.0.2:
>
> openssl version
> OpenSSL 1.0.1e-fips 11 Feb 2013
>
> The C API's seem to support EC. Perhaps the openssl binary does not?
>
> RHEL 6.7 is still at 1.0.1.
>
> Can I create the key and certificates on the 1.0.2 platform and use them
> with the C API on 1.0.1?
RedHat has in various past releases deliberately disabled EC support.
More recently they've enabled just the NIST P-256,384,521 curves.
So your software may be neutered by the vendor, however, you seem
to be using 1.0.1, while I was testing 1.0.2.
With 1.0.1 I get:
$ openssl version -a; openssl genpkey -out cakeyecc.pem -outform PEM -pass pass:rrrr -aes256 -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -pkeyopt ec_param_enc:named_curve -text; cat cakeyecc.pem
OpenSSL 1.0.1v-dev xx XXX xxxx
built on: Fri Jan 13 15:35:13 2017
platform: darwin64-x86_64-cc
options: bn(64,64) rc4(ptr,char) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: cc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/Volumes/gitvol/viktor/ssl/OpenSSL_1_0_1/ssl"
parameter setting error
140735936984072:error:06089094:digital envelope routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:394:
cat: cakeyecc.pem: No such file or directory
With 1.0.1, EC support in genpkey(1) is incomplete. To encrypt
use a pipeline:
$ openssl ecparam -name prime256v1 -genkey -noout | openssl pkey -aes256 -text
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiDn5ZQFVqU2wICCAAw
HQYJYIZIAWUDBAEqBBBMxK5x8CNp29AxpTpdjjZzBIGQFcjJotTUgue5zv1ZUiJE
Fmp3LFInp0+mJmiSMM/WZUM2aALAG3xikB5xn0ENmtluiLVM+Osa5PZVj5WAisgN
DBmHRYqFoxOQPc9L8DN8dr0PDM/d7KZe3Vr4FAlkG86R/aFOOn8yBX2DepDDmvuc
aYn6abZZWe9uISi+Gk0r3Hna6cKz0K5M6ecGim6oBRg2
-----END ENCRYPTED PRIVATE KEY-----
Private-Key: (256 bit)
priv:
00:fc:ee:5b:91:0d:7b:11:c1:a3:6b:b6:45:e3:88:
12:80:08:27:77:1b:3c:ad:59:4f:cd:10:42:f7:6e:
53:4a:e9
pub:
04:82:74:1c:da:70:65:e0:2d:3f:3b:8b:e4:10:e1:
b0:60:b0:f8:59:9a:99:7d:a7:70:52:13:be:02:8d:
c4:a0:56:9b:7f:79:ae:b8:ca:61:52:8c:74:06:59:
72:10:77:6e:53:62:df:47:ef:af:64:47:97:73:cb:
a6:f0:eb:a2:24
ASN1 OID: prime256v1
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
