1

I created a private key using Analog device's signtool. It can be found part of "CrossCore Embedded Studio for Blackfin, SHARC and SHARC+ - Release (Rev. 2.12.0)". Link: https://www.analog.com/en/resources/evaluation-hardware-and-software/software/adswt-cces.html#software-relatedsoftware

$ signtool genkeypair -algo ecdsa256 -outfile keychain-cces.der $ openssl asn1parse -inform DER -in keychain-cces.der 0:d=0 hl=2 l= 119 cons: SEQUENCE 2:d=1 hl=2 l= 1 prim: INTEGER :01 5:d=1 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:EC75CF473BF6CE76B18854B313F61956A82C4C0D7A4BB57D3270C2110D881752 39:d=1 hl=2 l= 10 cons: cont [ 0 ] 41:d=2 hl=2 l= 8 prim: OBJECT :prime256v1 51:d=1 hl=2 l= 68 cons: cont [ 1 ] 53:d=2 hl=2 l= 66 prim: BIT STRING $

Based on the reference of https://stackoverflow.com/questions/59552240/are-openssl-generated-pem-keys-compatible-with-erlang-crypto, I found it is a X9.62 encoded private key.

I tried to create the similar key using the OpenSSL tool.

$ openssl ecparam -genkey -name prime256v1 -out openssl-ecdsa-private.pem $ cat openssl-ecdsa-private.pem -----BEGIN EC PARAMETERS----- BggqhkjOPQMBBw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MHcCAQEEICTwYkKdcSTmpf+wgxBn58VoK8W13mW3xgxZPvWLyFusoAoGCCqGSM49 AwEHoUQDQgAEroAqSJuYhV3I0vZCPrd1C7OditQ8rab2gAJrcBJbgRzdw8Uu22Mt DwMmFnkm8Tqh+elfkJDXoNQgA5G7tlnIeQ== -----END EC PRIVATE KEY----- $ $ openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in openssl-ecdsa-private.pem -out openssl-ecdsa-private.der $ openssl asn1parse -inform DER -in openssl-ecdsa-private.der 0:d=0 hl=3 l= 135 cons: SEQUENCE 3:d=1 hl=2 l= 1 prim: INTEGER :00 6:d=1 hl=2 l= 19 cons: SEQUENCE 8:d=2 hl=2 l= 7 prim: OBJECT :id-ecPublicKey 17:d=2 hl=2 l= 8 prim: OBJECT :prime256v1 27:d=1 hl=2 l= 109 prim: OCTET STRING [HEX DUMP]:306B020101042024F062429D7124E6A5FFB0831067E7C5682BC5B5DE65B7C60C593EF58BC85BACA14403420004AE802A489B98855DC8D2F6423EB7750BB39D8AD4 3CADA6F680026B70125B811CDDC3C52EDB632D0F0326167926F13AA1F9E95F9090D7A0D4200391BBB659C879 $

Why keychain-cces.der and openssl-ecdsa-private.der ASN.1 parse outputs are different?

I want to get a private key with OpenSSL similar to singtool geneated. How to generate it?

Thanks, GK

Improve this question

1 Answer 1

Reset to default
0

Actually that isn't an X9.62 format (I have commented to Maarten, who doesn't usually make mistakes like this). It was first defined in SECG SEC1 appendix C, and republished in RFC 5915. And you already had it: OpenSSL ecparam -genkey generates this 'traditional' format already, as long as you omit or remove the 'BEGIN/END EC PARAMETERS' block:

$ openssl asn1parse <<@@ > -----BEGIN EC PRIVATE KEY----- > MHcCAQEEICTwYkKdcSTmpf+wgxBn58VoK8W13mW3xgxZPvWLyFusoAoGCCqGSM49 > AwEHoUQDQgAEroAqSJuYhV3I0vZCPrd1C7OditQ8rab2gAJrcBJbgRzdw8Uu22Mt > DwMmFnkm8Tqh+elfkJDXoNQgA5G7tlnIeQ== > -----END EC PRIVATE KEY----- > @@ 0:d=0 hl=2 l= 119 cons: SEQUENCE 2:d=1 hl=2 l= 1 prim: INTEGER :01 5:d=1 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:24F062429D7124E6A5FFB0831067E7C5682BC5B5DE65B7C60C593EF58BC85BAC 39:d=1 hl=2 l= 10 cons: cont [ 0 ] 41:d=2 hl=2 l= 8 prim: OBJECT :prime256v1 51:d=1 hl=2 l= 68 cons: cont [ 1 ] 53:d=2 hl=2 l= 66 prim: BIT STRING

Since you want it in DER, you can either convert it

openssl ec -in pemfile -outform der -out derfile

or directly generate it

openssl ecparam -genkey -name prime256v1 -noout -outform der -out derfile # yes -noout AND -outform -out; that's needed to omit the parameters # or in 1.1.0 up (including 3.x) openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 \ | openssl pkey -traditional -outform der -out derfile

PKCS8 format is different because it is a different format. While the SEC1 format is specific to X9/Weierstrass-style ECC, like the PKCS1 key format is specific to RSA, the PKCS8 format supports all algorithms by wrapping them in an ASN.1 SEQUENCE with an AlgorithmIdentifier (originally defined by X.509, now in RFC5280). Since you don't want PKCS8 format you can just omit the unnecessary pkcs8 -topk8 command that converts to it. But if you already have a PKCS8 DER key you can convert it back to SEC1 format with either:

openssl ec -in pkcs8der -inform der -out sec1der -outform der openssl pkey -in pkcs8der -inform der -traditional -out sec1der -outform der

(and if you have, or want, PEM, adjust -inform or -outform)

Improve this answer
1
  • Thanks, Dave. As you mentioned, I can generate a similar private key format. Thank you. Commented Jun 28, 2024 at 17:22

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.