On Mon, Jun 05, 2023 at 09:17:18AM -0400, Robert Moskowitz wrote:
> is there a way in genkey to create an ECDSA P-256 in compressed format
> (now that the patent is well expired)?
>
> I have been looking at openssl docs for genkey, but not seeing it and
> how to then create the proper PEM files with the compressed value so I
> can then use openssl ca to create the certs with the public key compressed.
$ openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 |
openssl ec -conv_form compressed -out /tmp/key.pem
$ openssl req -x509 -new -subj / -key /tmp/key.pem -out /tmp/cert.pem
$ openssl x509 -in /tmp/cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:2e:36:b8:ce:43:2d:07:82:b9:0c:c3:d0:4a:c7:e1:4f:11:f8:10
Signature Algorithm: ecdsa-with-SHA256
Issuer:
Validity
Not Before: Jun 5 13:44:44 2023 GMT
Not After : Jul 5 13:44:44 2023 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
02:ad:13:9c:0c:46:10:b6:56:84:02:dc:ba:38:da:
2f:25:00:1b:67:51:6d:22:b9:e3:d9:64:92:7a:f7:
da:3b:7a
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
25:6C:7C:DB:39:52:3F:02:60:B6:4F:CD:C3:48:16:36:2D:B3:EE:9A
X509v3 Authority Key Identifier:
keyid:25:6C:7C:DB:39:52:3F:02:60:B6:4F:CD:C3:48:16:36:2D:B3:EE:9A
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:9b:88:e7:e5:3c:d4:77:54:54:41:fa:2d:ed:
2e:cb:67:57:1c:7a:13:0e:c9:cc:10:4d:a3:0e:a3:04:8d:65:
70:02:20:5a:7c:0f:51:d5:40:10:1d:d6:7f:88:eb:99:d8:75:
9c:c9:d4:9e:3d:9d:e4:3c:51:0f:7f:e2:48:46:4b:dc:bc
Note that support for comressed EC keys is optional:
https://www.rfc-editor.org/rfc/rfc5480#section-2.2
Implementations of Elliptic Curve Cryptography according to this
document MUST support the uncompressed form and MAY support the
compressed form of the ECC public key. The hybrid form of the ECC
public key from [X9.62] MUST NOT be used.
--
Viktor.
