EC Digest error

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

EC Digest error

Lloyd Brown
Hello all,

I'm struggling to get some openssl elliptic curve based file
digest/digital sig work done.  I'm able to generate both ec and rsa keys
without a problem, and am trying to digest a file using the "openssl
dgst" command.  However, I get something like this:

lbrown@dsss:~$ openssl dgst -sha512 -sign ec.key.prime192v2.pem -hex
-out ec.test.sig.hex.sha512 file_to_digest
Error Signing Data
10917:error:0606B06E:digital envelope routines:EVP_SignFinal:wrong
public key type:p_sign.c:103:
lbrown@dsss:~$

The exact same syntax when used with an RSA key works fine.  What am I
doing wrong?  Am I missing something completely obvious?

FYI:
My system:
Dell PowerEdge 1855
-Dual Intel Xeon EM64T, 3.6 GHz processors
-4 GB RAM
-Debian Sarge Linux
    -kernel: Debian stock "2.6.8-11-amd64-generic"
    -OpenSSL 0.9.8a


Thanks,
Lloyd Brown

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: EC Digest error

Dmitry Belyavsky
Greetings!

On Mon, 31 Oct 2005, Lloyd Brown wrote:

> Hello all,
>
> I'm struggling to get some openssl elliptic curve based file digest/digital
> sig work done.  I'm able to generate both ec and rsa keys without a problem,
> and am trying to digest a file using the "openssl dgst" command.  However, I
> get something like this:
>
> lbrown@dsss:~$ openssl dgst -sha512 -sign ec.key.prime192v2.pem -hex -out
> ec.test.sig.hex.sha512 file_to_digest
> Error Signing Data
> 10917:error:0606B06E:digital envelope routines:EVP_SignFinal:wrong public key
> type:p_sign.c:103:
> lbrown@dsss:~$
>
> The exact same syntax when used with an RSA key works fine.  What am I doing
> wrong?  Am I missing something completely obvious?

EC requires SHA1, and SHA512 does not allow EC as key.

--
SY, Dmitry Belyavsky (ICQ UIN 11116575)

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: EC Digest error

Nils Larsch
In reply to this post by Lloyd Brown
Lloyd Brown wrote:

> Hello all,
>
> I'm struggling to get some openssl elliptic curve based file
> digest/digital sig work done.  I'm able to generate both ec and rsa keys
> without a problem, and am trying to digest a file using the "openssl
> dgst" command.  However, I get something like this:
>
> lbrown@dsss:~$ openssl dgst -sha512 -sign ec.key.prime192v2.pem -hex
> -out ec.test.sig.hex.sha512 file_to_digest
> Error Signing Data
> 10917:error:0606B06E:digital envelope routines:EVP_SignFinal:wrong
> public key type:p_sign.c:103:
> lbrown@dsss:~$
>
> The exact same syntax when used with an RSA key works fine.  What am I
> doing wrong?  Am I missing something completely obvious?

due to the somewhat unfortunate binding between the digest type
and signature algorithms "-sha512" could only be used in combination
with the RSA algorithm (this will hopefully change in a future
version). Furthermore the X9.62 (the ecdsa standard) version on
which this implementation is based allows only SHA-1 (don't know
whether a revised X9.62 version has already been released) => if
you want to create ecdsa signatures with the dgst command you should
try something like:
        openssl dgst -ecdsa-with-SHA1 ...

Cheers,
Nils
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: EC Digest error

Lloyd Brown
Nils Larsch wrote:

>
> due to the somewhat unfortunate binding between the digest type
> and signature algorithms "-sha512" could only be used in combination
> with the RSA algorithm (this will hopefully change in a future
> version). Furthermore the X9.62 (the ecdsa standard) version on
> which this implementation is based allows only SHA-1 (don't know
> whether a revised X9.62 version has already been released) => if
> you want to create ecdsa signatures with the dgst command you should
> try something like:
>     openssl dgst -ecdsa-with-SHA1 ...
>
> Cheers,
> Nils
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>
I appreciate the info, but I'm still getting an error when I use your
syntax to verify (shown below).  Any ideas?  Without delving deeply into
the source, this is becoming very difficult to debug.  Is there some
place where all these functions are documented, or are they generally
left out of the docs since they are so new?

lbrown@dsss:~$ openssl dgst -ecdsa-with-SHA1 -hex -sign
ec.key.prime192v2.pem -out ec.test.sig.hex.sha512 .viminfo
lbrown@dsss:~$ openssl dgst -ecdsa-with-SHA1 -hex -verify
ec.key.prime192v2.pem.pub -signature ec.test.sig.hex.sha512 .viminfo
Error Verifying Data
12313:error:0D07209B:asn1 encoding routines:ASN1_get_object:too
long:asn1_lib.c:142:
12313:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object
header:tasn_dec.c:1269:
12313:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:374:Type=ECDSA_SIG
lbrown@dsss:~$

Thanks,
Lloyd Brown

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: EC Digest error

Nils Larsch
Lloyd Brown wrote:
...

> lbrown@dsss:~$ openssl dgst -ecdsa-with-SHA1 -hex -sign
> ec.key.prime192v2.pem -out ec.test.sig.hex.sha512 .viminfo
> lbrown@dsss:~$ openssl dgst -ecdsa-with-SHA1 -hex -verify
> ec.key.prime192v2.pem.pub -signature ec.test.sig.hex.sha512 .viminfo
> Error Verifying Data
> 12313:error:0D07209B:asn1 encoding routines:ASN1_get_object:too
> long:asn1_lib.c:142:
> 12313:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object
> header:tasn_dec.c:1269:
> 12313:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:374:Type=ECDSA_SIG
> lbrown@dsss:~$

without using the "-hex" option it works for me

Cheers,
Nils
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]