Skip to content

Creating an ECDSA key for use with minicrypto

Jump to bottom
Christian Huitema edited this page Aug 21, 2019 · 1 revision

The minicrypto backend supports ECDSA public keys. The keys can be generated using an openssl command such as: openssl ecparam -noout -name secp256r1 -genkey, but there is a little problem. Openssl will create a key using an elliptic curve specific format, such as for example:

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIHsgPF9dM+B/JUX7zPzG/3K+o5sZGhON6UgWU8HHw39aoAoGCCqGSM49
AwEHoUQDQgAE3qtCnGKxlWkYAu4WFvjxZ/pMGymlIQmpKD3R6oozR4kOyG3/6b6U
Zh5q08dUGDACOgsFQrolESmXuUJjCb0xqA==
-----END EC PRIVATE KEY-----

This format is not compatible with the function ptls_minicrypto_load_private_key. That function expects the private key file to be encoded according to PKCS8. Yes, it would be convenient to fix that but that's code, someone has to write it, and it will take time. In the mean time, the workaround is convert the private key file from the EC format to the PKCS8 format, using a command like:

openssl pkcs8 -topk8 -inform pem -in .\privkey.pem -nocrypt -out privkeypkcs8.pem

The resulting file will be:

-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgeyA8X10z4H8lRfvM
/Mb/cr6jmxkaE43pSBZTwcfDf1qhRANCAATeq0KcYrGVaRgC7hYW+PFn+kwbKaUh
CakoPdHqijNHiQ7Ibf/pvpRmHmrTx1QYMAI6CwVCuiURKZe5QmMJvTGo
-----END PRIVATE KEY-----

That format is compatible with ptls_minicrypto_load_private_key.

Clone this wiki locally