ECDSA curves and certificates in 1.0.2X vs 1.1.x

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ECDSA curves and certificates in 1.0.2X vs 1.1.x

Michael Richardson
The CIRALabs SecureHomeGateway generates an ECDSA key/CSR at manufacturing
time which is enrolled into a CA to form an IDevID certificate.

We are pondering a regression where the generated key goes clearly
prime256v1, and "prime-field".  We are generating with

openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
                -nodes -subj "/CN=${ULA_HOSTNAME}" \
                -keyout ${KEY_NAME}.key -out ${KEY_NAME}.csr -outform DER \
                -reqexts SAN \
                -config /tmp/shg.ossl.cnf

Evidence below, and also at: https://gist.github.com/mcr/089fe7206644f417ba213c9dfe093c7a

I thought that maybe we had a build-regression that meant that we went from
1.1.x back to 1.0.x (this is with nic.cz's build of openwrt 18.06), but so
far this does not appear to be the case.   But... it worked before!  I swear.
(so I didn't think about the version that there)

***
  My question is: is there some build options that I can't see that might have
  affected this?  Made it work before.  My impression is that 1.0.x did *not*
  support ECDSA certificates, yet it seemed to generate CSRs, just does not put in the
  right OIDs in the public parts such that it is recognized by others.
***

We happen to include 1.1.1 in a container, and I will probably change things
to use the openssl inside the container to generate the CSR, but I'm rather confused.


1.1.1:
root@turris:/etc/shg# openssl ec -noout -text -in shg.key
read EC key
Private-Key: (256 bit)
priv:
    stuff
pub:
    04:0c:d5:2f:3b:ed:17:ae:dc:50:57:23:60:10:1e:
    e3:61:84:3b:f4:ad:dd:0d:f4:cd:b4:81:f9:45:4c:
    ee:aa:c6:d3:1a:0c:db:5d:4a:ad:fe:26:d7:c9:a8:
    a2:3c:b6:97:4e:f0:bc:10:37:a2:cc:7b:9a:e6:40:
    ea:c3:1d:d9:52
ASN1 OID: prime256v1
NIST CURVE: P-256

With an openssl 1.0.2s or 1.0.2l:

OpenSSL 1.0.2l  25 May 2017
read EC key
Private-Key: (256 bit)
priv:
    stuff
pub:
    04:c5:e6:dc:fc:df:c1:c0:c2:88:c0:b8:c2:dc:d0:
    fa:1c:3a:84:1a:52:66:8c:fb:a1:bf:c9:77:e1:fa:
    41:33:9a:33:2a:a8:73:ff:70:1b:3d:bb:d9:cf:a0:
    bb:9f:78:14:37:3a:f8:55:bc:7a:86:a3:c2:66:ea:
    b8:e9:3d:05:5d
Field Type: prime-field
Prime: ..elided
A:
B:
Generator (uncompressed):
Order:
Cofactor:  1 (0x1)
Seed:

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [

Reply | Threaded
Open this post in threaded view
|

Re: ECDSA curves and certificates in 1.0.2X vs 1.1.x

Viktor Dukhovni
On Tue, Jun 25, 2019 at 10:38:50AM -0400, Michael Richardson wrote:

> openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
>                 -nodes -subj "/CN=${ULA_HOSTNAME}" \
>                 -keyout ${KEY_NAME}.key -out ${KEY_NAME}.csr -outform DER \
>                 -reqexts SAN \
>                 -config /tmp/shg.ossl.cnf

This generates a key that has explicit parameters (rather than a named
curve) also in OpenSSL 1.0.2h, for example.  Since you probably want
to use named curves, with 1.0.2 you'll have to generate the key separately,
and explicitly indicate that you want a named curve key.  For that also
include an additional:

        -pkeyopt ec_param_enc:named_curve

option.  This was not on by default in OpenSSL 1.0.2.

> ***
>   My question is: is there some build options that I can't see that might have
>   affected this?  Made it work before.  My impression is that 1.0.x did *not*
>   support ECDSA certificates, yet it seemed to generate CSRs, just does not put in the
>   right OIDs in the public parts such that it is recognized by others.
> ***

OpenSSL 1.0.2 has reasonably complete ECDSA support, but various
aspects of the implementation are better in 1.1.1.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA curves and certificates in 1.0.2X vs 1.1.x

Michael Richardson

Viktor Dukhovni <[hidden email]> wrote:
    > On Tue, Jun 25, 2019 at 10:38:50AM -0400, Michael Richardson wrote:

    >> openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
    >> -nodes -subj "/CN=${ULA_HOSTNAME}" \
    >> -keyout ${KEY_NAME}.key -out ${KEY_NAME}.csr -outform DER \
    >> -reqexts SAN \
    >> -config /tmp/shg.ossl.cnf

    > This generates a key that has explicit parameters (rather than a named
    > curve) also in OpenSSL 1.0.2h, for example.  Since you probably want
    > to use named curves, with 1.0.2 you'll have to generate the key separately,
    > and explicitly indicate that you want a named curve key.  For that also
    > include an additional:

    > -pkeyopt ec_param_enc:named_curve

    > option.  This was not on by default in OpenSSL 1.0.2.

Thank you again, this worked great.
(I wonder if we had that before, and it just got lost as we rebuild from source)

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     [hidden email]  http://www.sandelman.ca/        |   ruby on rails    [


signature.asc (497 bytes) Download Attachment